sudip shrestha wrote:
I can understand presenting different menu options based on userThe JSPs shouldn't be directly accessible anyway--if they're under WEB-INF then they cannot be directly accessed.
privileges and having the same layout pages. But my concern is there
may be some pages which a user with less privileges may not be allowed
to see at all, and what if he finds the url of that page and types the
url in the browser and if that particular page does not have the
authority-check not built into it, that user may be able to do stuff
on the page......I hope you know what I am saying.
Authentication would be handled either in a) a filter, b) an Action super-class, c) a custom RequestProcessor, or d) somewhere else.
Personally, I don't believe _any_ authentication belongs in the view, but I'm obsessive.
If an action is protected by one of the mechanisms above (or something functionally similar) and the JSPs are not directly accessible, then you don't need to worry about it at all on the presentation side.
Dave
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
