Hi Rivka,
You could do something like this for the custom tag. You'll need to setup how you store the current
user in the session and the implementation of you security session.
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.TagSupport;
public class CheckPermissionTag extends TagSupport {
private String key;
/**
* @param key The key to set.
*/
public void setKey(String key) {
this.key = key;
}
public int doStartTag() throws JspException {
User user = getUserFromSession();
SecurityService service = .....
if ( service.doesUserHavePermission( key ) ) {
// user has permission
return EVAL_BODY_INCLUDE;
}
// user does not have permission to access
// so skip the body content
return EVAL_PAGE;
}
}
########################
As for the request processor, create a subclass and override the following
method
protected boolean processPreprocess(HttpServletRequest request,
HttpServletResponse response) {
User user = getUserFromSession();
SecurityService service = .....
// determine the key from the request uri
String key = ....
if ( service.doesUserHavePermission( key ) ) {
// user has permission
return true;
}
// user does not have permission to access
// so do not allow the page
response.sendRedirect( ..... );
return false;
}
You can setup your request processor in your struts-config.xml
Gareth
Rivka Shisman wrote:
Hi Gareth
Can you please send me an example of the <customtags:checkpermission> tag? And
also an example of how to change the request processor?
Thanks a lot
Rivka
-----Original Message-----
From: Gareth Evans [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 11, 2006 3:25 PM
To: Struts Users Mailing List
Subject: Re: Enabling links according to user's authorization
Hi Rivka,
You could hide the links by creating a custom tag that only evaluates its body content if the
current user has the required permission. e.g.
<customtags:checkpermission key="VIEW_STUDENT_RECORD">
<html:link action="view..."View</html:link>
</customtags:checkpermission>
<customtags:checkpermission key="UPDATE_STUDENT_RECORD">
<html:link action="update..."Update</html:link>
</customtags:checkpermission>
<customtags:checkpermission key="DELETE_STUDENT_RECORD">
<html:link action="delete..."Delete</html:link>
</customtags:checkpermission>
But in addition to this you could stop the request from taking place at the requestprocessor level.
i.e. in case somebody guesses the link.
Gareth
Rivka Shisman wrote:
Hi again,
Letícia - Does hiding the links mean that I should put a heavy security
checking code on each such JSP page? Or is there a nicer way?
Gareth - I'm not sure I understand - by "If permission is denied you could forward
to a different page." - do you mean that if I can have 4 links on my JSP page
(view,insert,upate,delete), I need to hold 16 (4*4) versions of that page where each
version shows different combination of links?
Thanks
Rivka
-----Original Message-----
From: Gareth Evans [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 11, 2006 2:59 PM
To: Struts Users Mailing List
Subject: Re: Enabling links according to user's authorization
In addition to hiding the links, extend the requestprocessor to check against the current user and
your security table. If permission is denied you could forward to a different page.
the best place to do this is in the processPreprocess(HttpServletRequest, HttpServletResponse )
method.
Just hiding the links is not enough.
Gareth
Letícia Álvares Barbalho wrote:
Hide the links.This way, you won't let him lose time trying to access things
he can't and his view of the interface will be more clear.
On 1/11/06, Rivka Shisman <[EMAIL PROTECTED]> wrote:
Hi everyone,
We have a web application running on Websphere Application Server V6.
Say I have a JSP page that enables working on Student details.
This JSP page enables users to view, insert, update or delete student
records.
Now, some users can only use the 'View' link, others can also use
'Insert' link, and some other users can only update.
From what i know, i can hold a DB table that indicates for each user and
table - which operations are allowed.
But, my question is - what is the right way to do that on the JSP page?
Do i call this security table on each page load and hide the
unauthorized links? Or, do always show all the links and just let the
database throw an exception and give a message to the user, when he/she
presses an unauthorized link? Or is there a third and better way?
Thanks
Rivka
--
Letícia Álvares Barbalho
[EMAIL PROTECTED]
--
Gareth Evans
MSoft eSolutions Limited
Technology Centre
Inward Way
Rossmore Business Park
Ellesmere Port
Cheshire
CH65 3EN
--
Tel: +44 (0)870 0100 704
Fax: +44 (0)870 9010 705
E-Mail: [EMAIL PROTECTED]
Web: www.msoft.co.uk
----------------------------------------------
Terms:
Please note that any prices quoted within this e-mail are subject to VAT.
All program details and code described in this e-mail are subject to
copyright © of MSoft eSolutions Limited and remain the intellectual
property of MSoft eSolutions Limited.
Any proposal or pricing information contained within this e-mail are
subject to MSoft eSolutions' Terms and Conditions
----------------------------------------------
Disclaimer:
This message is intended only for use of the addressee. If this message
was sent to you in error, please notify the sender and delete this
message. MSoft eSolutions Limited cannot accept responsibility for viruses,
so please scan attachments. Views expressed in this message do not
necessarily reflect those of MSoft eSolutions Limited who will not
necessarily be bound by its contents.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
