Hi...
> I would argue that logging a user in is business logic.
> However, the user
> state (i.e. whether the user is logged in) is part of the
> model - a "permission
> denied" message is the appropriate view of the model when the
> user is not
> logged in; thus this belongs in the JSP.
Everything is right - though I would say that checking permissions
make's most sense on the controller side (->business logic).
> I check permissions at the top of all of my JSP's - I don't
> feel that this has
> caused business logic to leak into the pages. However, if
> clients can post
> directly to your actions the actions need to check
> permissions, too (since the
> post might not have come from a valid page).
In my application all important stuff (retrieving/storing data to be
displayed in my JSP) is done by the controller, bypassing the servlet
is possible but doesn't make much sense.
Most likely the user will not see more than some ugly nullpointer
exceptions because beans are missing or whatever. There's no "official"
way to get to these pages directly... so - who cares?! :)
Regards,
Tobias
