Hi, My suggestion is to use custom taglibs: one to check the user session and one to check his role. When the user logs in you can create a user bean which you'll store in the session. In this user bean you can have a method called getRole(). So in your taglib you'll have :
public int doStartTag() throws JspException{ MyContext ctx = new MyContext((HttpServletRequest)pageContext.getRequest(),(HttpServletResponse)page Context.getResponse()) ; if(ctx.isAuthorized(getRole())){ return EVAL_BODY_AGAIN }else{ return SKIP_BODY; } } Where MyContext is your object on which you make the authorization procedure, and role is an attribute to your custom tag. Your tld will look like this : <tag> <name>authorized</name> <tagclass>mypackage.AuthorizedTag</tagclass> <bodycontent>JSP</bodycontent> <attribute> <name>role</name> <required>true</required> <rtexprvalue>true</rtexprvalue> </attribute> </tag> And in your jsp page you'll have : <auth:authorized role="A"> <!--your page content here--> </auth:authorized> It's not such a good ideea to hard code the roles in jsp page . A better aproach will be to have insead of role an attribute called ressourceid, for example, a NotAuthorized taglib, and have your user bean load a black list and check if the ressource the user is trying to access is not on his black list. Ovidiu ----- Original Message ----- From: "Vano Beridze" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 28, 2003 4:57 PM Subject: security pattern > Hello > I'm a new user to struts. > > What will be the best design pattern to achieve jsp pages protection in > my web app? > > For instance I want to implement the following scenario. > > user A has a role RoleA > user B has a role RoleB > > I have to pages: > PageThatRequiresRoleA.jsp > PageThatRequiresRoleB.jsp > > only user A must have an access to PageThatRequiresRoleA.jsp > and > only user B must have an access to PageThatRequiresRoleB.jsp > > Thank you very much > > Vano > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]