Enabling links according to user's authorization

[Rivka Shisman <ri...@nite.org.il>]

Hi everyone,

We have a web application running on Websphere Application Server V6.
Say I have a JSP page that enables working on Student details.
This JSP page enables users to view, insert, update or delete student
records.
Now, some users can only use the 'View' link, others can also use
'Insert' link, and some other users can only update.

>From what i know, i can hold a DB table that indicates for each user and
table - which operations are allowed.
But, my question is - what is the right way to do that on the JSP page?
Do i call this security table on each page load and hide the
unauthorized links? Or, do always show all the links and just let the
database throw an exception and give a message to the user, when he/she
presses an unauthorized link? Or is there a third and better way?

Thanks
Rivka

Re: Enabling links according to user's authorization

[Letícia Álvares Barbalho <le...@gmail.com>]

Well, of course each action should have its control of the access.
I meant: hide the links and control through the actions, so no one will
access them with a direct link.

On 1/11/06, Thomas Joseph <th...@kottsoftware.com> wrote:
>
> > Hide the links.This way, you won't let him lose time trying to access
> things
> > he can't and his view of the interface will be more clear.
> >
> But that won't do good, if for clever people, who would play with the URLs
> with their limited access rights and access what is not meant for them.
> Probably encoding URLs could do some help in that way.
>
> In this mailing list , often people post doubts related to general
> architecture and practices. However the list is too good to answer almost
> all of them, but still people would like to know where they can have a
> mailing list to know the  "Best  Practices" as such. Can anyone help out
> here!!?
>
> Thanks
>
> Thomas Joseph
>
> > On 1/11/06, Rivka Shisman <ri...@nite.org.il> wrote:
> > >
> > > Hi everyone,
> > >
> > > We have a web application running on Websphere Application Server V6.
> > > Say I have a JSP page that enables working on Student details.
> > > This JSP page enables users to view, insert, update or delete student
> > > records.
> > > Now, some users can only use the 'View' link, others can also use
> > > 'Insert' link, and some other users can only update.
> > >
> > > From what i know, i can hold a DB table that indicates for each user
> and
> > > table - which operations are allowed.
> > > But, my question is - what is the right way to do that on the JSP
> page?
> > > Do i call this security table on each page load and hide the
> > > unauthorized links? Or, do always show all the links and just let the
> > > database throw an exception and give a message to the user, when
> he/she
> > > presses an unauthorized link? Or is there a third and better way?
> > >
> > > Thanks
> > > Rivka
> > >
> > >
>
>
> --
> Letícia Álvares Barbalho
> leticia.barbalho@gmail.com
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


--
Letícia Álvares Barbalho
leticia.barbalho@gmail.com

Re: Enabling links according to user's authorization

[Thomas Joseph <th...@kottsoftware.com>]

> Hide the links.This way, you won't let him lose time trying to access things
> he can't and his view of the interface will be more clear.
> 
But that won't do good, if for clever people, who would play with the URLs with their limited access rights and access what is not meant for them. Probably encoding URLs could do some help in that way.

In this mailing list , often people post doubts related to general architecture and practices. However the list is too good to answer almost all of them, but still people would like to know where they can have a mailing list to know the  "Best  Practices" as such. Can anyone help out here!!?

Thanks

Thomas Joseph

> On 1/11/06, Rivka Shisman <ri...@nite.org.il> wrote:
> >
> > Hi everyone,
> >
> > We have a web application running on Websphere Application Server V6.
> > Say I have a JSP page that enables working on Student details.
> > This JSP page enables users to view, insert, update or delete student
> > records.
> > Now, some users can only use the 'View' link, others can also use
> > 'Insert' link, and some other users can only update.
> >
> > From what i know, i can hold a DB table that indicates for each user and
> > table - which operations are allowed.
> > But, my question is - what is the right way to do that on the JSP page?
> > Do i call this security table on each page load and hide the
> > unauthorized links? Or, do always show all the links and just let the
> > database throw an exception and give a message to the user, when he/she
> > presses an unauthorized link? Or is there a third and better way?
> >
> > Thanks
> > Rivka
> >
> >


--
Letícia Álvares Barbalho
leticia.barbalho@gmail.com



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Enabling links according to user's authorization

[Gareth Evans <ga...@msoft.co.uk>]

In addition to hiding the links, extend the requestprocessor to check against the current user and 
your security table.  If permission is denied you could forward to a different page.

the best place to do this is in the processPreprocess(HttpServletRequest, HttpServletResponse ) 
method.

Just hiding the links is not enough.

Gareth



Letícia Álvares Barbalho wrote:
> Hide the links.This way, you won't let him lose time trying to access things
> he can't and his view of the interface will be more clear.
> 
> On 1/11/06, Rivka Shisman <ri...@nite.org.il> wrote:
> 
>>Hi everyone,
>>
>>We have a web application running on Websphere Application Server V6.
>>Say I have a JSP page that enables working on Student details.
>>This JSP page enables users to view, insert, update or delete student
>>records.
>>Now, some users can only use the 'View' link, others can also use
>>'Insert' link, and some other users can only update.
>>
>>>From what i know, i can hold a DB table that indicates for each user and
>>table - which operations are allowed.
>>But, my question is - what is the right way to do that on the JSP page?
>>Do i call this security table on each page load and hide the
>>unauthorized links? Or, do always show all the links and just let the
>>database throw an exception and give a message to the user, when he/she
>>presses an unauthorized link? Or is there a third and better way?
>>
>>Thanks
>>Rivka
>>
>>
> 
> 
> 
> --
> Letícia Álvares Barbalho
> leticia.barbalho@gmail.com
> 

-- 
Gareth Evans

MSoft eSolutions Limited
Technology Centre
Inward Way
Rossmore Business Park
Ellesmere Port
Cheshire
CH65 3EN

-- 
Tel:    +44 (0)870 0100 704
Fax:    +44 (0)870 9010 705
E-Mail: gareth@msoft.co.uk
Web:    www.msoft.co.uk

----------------------------------------------
Terms:
Please note that any prices quoted within this e-mail are subject to VAT.
All program details and code described in this e-mail are subject to
copyright © of MSoft eSolutions Limited and remain the intellectual
property of MSoft eSolutions Limited.
Any proposal or pricing information contained within this e-mail are
subject to MSoft eSolutions' Terms and Conditions
----------------------------------------------
Disclaimer:
This message is intended only for use of the addressee. If this message
was sent to you in error, please notify the sender and delete this
message. MSoft eSolutions Limited cannot accept responsibility for viruses,
so please scan attachments. Views expressed in this message do not
necessarily reflect those of MSoft eSolutions Limited who will not
necessarily be bound by its contents.



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Enabling links according to user's authorization

[Letícia Álvares Barbalho <le...@gmail.com>]

Hide the links.This way, you won't let him lose time trying to access things
he can't and his view of the interface will be more clear.

On 1/11/06, Rivka Shisman <ri...@nite.org.il> wrote:
>
> Hi everyone,
>
> We have a web application running on Websphere Application Server V6.
> Say I have a JSP page that enables working on Student details.
> This JSP page enables users to view, insert, update or delete student
> records.
> Now, some users can only use the 'View' link, others can also use
> 'Insert' link, and some other users can only update.
>
> From what i know, i can hold a DB table that indicates for each user and
> table - which operations are allowed.
> But, my question is - what is the right way to do that on the JSP page?
> Do i call this security table on each page load and hide the
> unauthorized links? Or, do always show all the links and just let the
> database throw an exception and give a message to the user, when he/she
> presses an unauthorized link? Or is there a third and better way?
>
> Thanks
> Rivka
>
>


--
Letícia Álvares Barbalho
leticia.barbalho@gmail.com

Re: Enabling links according to user's authorization

[Wendy Smoak <ws...@gmail.com>]

On 1/11/06, Rivka Shisman <ri...@nite.org.il> wrote:

> From what i know, i can hold a DB table that indicates for each user and
> table - which operations are allowed.
> But, my question is - what is the right way to do that on the JSP page?
> Do i call this security table on each page load and hide the
> unauthorized links? Or, do always show all the links and just let the
> database throw an exception and give a message to the user, when he/she
> presses an unauthorized link? Or is there a third and better way?

I use Struts Menu to conditionally display menu items based on user
roles.  Rather than configure the container to handle it, I have a
Filter that wraps the request, and the request wrapper overrides the
isUserInRole method.  In that method, I check a session-scoped 'user'
object to see if the user has that role.

The code is here, and I don't think it's Tomcat-specific:
   http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper

Without Struts Menu, I think you can check roles with JSTL, or if not,
surely someone has already written a taglib to do this.

HTH,
--
Wendy

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org