And yes, for us it' not possible to give users to change only parts of jsp's and deny execution of these parts based on some credential assessments executed during some <if checkAccess> tags
kazukin6 wrote: > > Martin, thanks for a guide! I took a look at the Jetspeed (and portlet > specifications too) and it seems pretty intresting. I'll definetely study > it. The only thing that scares me that spec-s > (http://www.jcp.org/aboutJava/communityprocess/review/jsr168/) wasnt > updated since 2003 > > And yes, you really got it. Our system indeed is a portal and CMS and > something else too. And it somehow resembles the functions the Portal API > has. At this moment we're developing CRM part based on it. We already have > a whole bunch of portal functionality (it doesnt have any XML config cause > it's highly dynamic and config is stored in DB) and very specific security > system, tuned to our specific features, and at this point I'm not sure > we'll be able to seamlessly integrate any second-party solution into this > architecture. > > > > mgainty wrote: >> >> >> that was a 30 second solution amongst 100 different solutions<BR> >> >> so maybe you want to categorise the jsps and then enable / disable >> view/update/delete of the resources<BR> in those categories depending on >> the authenticated credentials of the user<BR> >> for this scenario you might want to look at portals and or >> content-management system<s><BR> >> >> i would start here<BR> >> http://portals.apache.org/jetspeed-1/fusion.html<BR> >> >> Martin<BR> >> ______________________________________________ <BR> >> Disclaimer and confidentiality note >> Everything in this e-mail and any attachments relates to the official >> business of Sender. This transmission is of a confidential nature and >> Sender does not endorse distribution to any party other than intended >> recipient. Sender does not necessarily endorse content contained within >> this transmission. >> >> >>> Date: Sat, 13 Sep 2008 17:32:29 -0700 >>> From: [EMAIL PROTECTED] >>> To: users@tomcat.apache.org >>> Subject: Question is answered. See Bill Barker-2 answer >>> >>> >>> Hi, Martin >>> Thanks for the answer >>> I see, what you mean, but the problem is slightly different >>> >>> The matter is that our users can change jsp files whatever they like via >>> administrative interface, so we want to restrict the use of scriplets in >>> these jsp's because of possible abuses >>> >>> Bill Barker-2 provided the comprehensive answer to this problem >>> >>> >>> mgainty wrote: >>> > >>> > >>> > use ths struts if tag to conditionally disable the code >>> > <%@ taglib prefix="s" uri="/struts-tags"%> >>> > >>> > <s:if test="%{false}"> >>> > <div>Will Not Be Executed</div> >>> > </s:if> >>> > >>> > http://struts.apache.org/2.0.11.2/docs/if.html >>> > datorită struts >>> > Martin >>> > ______________________________________________ >>> > Disclaimer and confidentiality note >>> > Everything in this e-mail and any attachments relates to the official >>> > business of Sender. This transmission is of a confidential nature and >>> > Sender does not endorse distribution to any party other than intended >>> > recipient. Sender does not necessarily endorse content contained >>> within >>> > this transmission. >>> > >>> > >>> >> Date: Sat, 13 Sep 2008 08:58:59 -0700 >>> >> From: [EMAIL PROTECTED] >>> >> To: users@tomcat.apache.org >>> >> Subject: Re: Disable java code execution <%blabla%> in jsp, but >>> permits >>> >> tags >>> >> >>> >> >>> >> We want them to be able to customize information they get from our >>> system >>> >> by >>> >> using custom tags >>> >> >>> >> >>> >> H. Hall wrote: >>> >> > >>> >> > kazukin6 wrote: >>> >> >> Plz Help !! >>> >> >> Is it possible to disable all java code execution within jsp page >>> (by >>> >> >> security manager or something) >>> >> >> but allow custom tags to be executed? >>> >> >> >>> >> >> The problem is that the users can change jsp files, and due to >>> >> security >>> >> >> reasons we can allow them to use only tags >>> >> >> >>> >> > Why are users allowed to change jsp files? >>> >> > >>> >> > HH >>> >> > >>> >> > >>> >> > >>> >> > -- >>> >> > H. Hall >>> >> > ReedyRiver Group LLC >>> >> > http://www.reedyriver.com >>> >> > >>> >> > >>> >> > >>> --------------------------------------------------------------------- >>> >> > To start a new topic, e-mail: users@tomcat.apache.org >>> >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >>> >> > For additional commands, e-mail: [EMAIL PROTECTED] >>> >> > >>> >> > >>> >> > >>> >> >>> >> -- >>> >> View this message in context: >>> >> >>> http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19471795.html >>> >> Sent from the Tomcat - User mailing list archive at Nabble.com. >>> >> >>> >> >>> >> --------------------------------------------------------------------- >>> >> To start a new topic, e-mail: users@tomcat.apache.org >>> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> >> For additional commands, e-mail: [EMAIL PROTECTED] >>> >> >>> > >>> > _________________________________________________________________ >>> > Get more out of the Web. Learn 10 hidden secrets of Windows Live. >>> > >>> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008 >>> > >>> >>> -- >>> View this message in context: >>> http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19476209.html >>> Sent from the Tomcat - User mailing list archive at Nabble.com. >>> >>> >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >> >> _________________________________________________________________ >> See how Windows connects the people, information, and fun that are part >> of your life. >> http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/ >> > > -- View this message in context: http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19476899.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
