Hi,
My suggestion is to use custom taglibs: one to check the user session and one to
check his role.
When the user logs in you can create a user bean which you'll store in the
session. In this user bean you can have a method called getRole().
So in your taglib you'll have :
public int doStartTag() throws JspException{
MyContext ctx = new
MyContext((HttpServletRequest)pageContext.getRequest(),(HttpServletResponse)page
Context.getResponse()) ;
if(ctx.isAuthorized(getRole())){
return EVAL_BODY_AGAIN
}else{
return SKIP_BODY;
}
}
Where MyContext is your object on which you make the authorization procedure,
and role is an attribute to your custom tag.
Your tld will look like this :
<tag>
<name>authorized</name>
<tagclass>mypackage.AuthorizedTag</tagclass>
<bodycontent>JSP</bodycontent>
<attribute>
<name>role</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
And in your jsp page you'll have :
<auth:authorized role="A">
<!--your page content here-->
</auth:authorized>
It's not such a good ideea to hard code the roles in jsp page . A better aproach
will be to have insead of role an attribute called ressourceid, for example, a
NotAuthorized taglib, and have your user bean load a black list and check if
the ressource the user is trying to access is not on his black list.
Ovidiu
----- Original Message -----
From: "Vano Beridze" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 28, 2003 4:57 PM
Subject: security pattern
> Hello
> I'm a new user to struts.
>
> What will be the best design pattern to achieve jsp pages protection in
> my web app?
>
> For instance I want to implement the following scenario.
>
> user A has a role RoleA
> user B has a role RoleB
>
> I have to pages:
> PageThatRequiresRoleA.jsp
> PageThatRequiresRoleB.jsp
>
> only user A must have an access to PageThatRequiresRoleA.jsp
> and
> only user B must have an access to PageThatRequiresRoleB.jsp
>
> Thank you very much
>
> Vano
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
