aspose file tools*
The moose likes Servlets and the fly likes showing pages based on roles Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "showing pages based on roles" Watch "showing pages based on roles" New topic
Author

showing pages based on roles

ajse ruku
Ranch Hand

Joined: May 06, 2005
Posts: 193
Hi all,
In my web application there are five types of users i.e there are five roles in my application.But I do not want to depend on my web server for role based login.I have created my login page,and based on the user name and password,I can find out the role of the user who logged in from my database.Now I can display his home page.But how should I procced from here?For example if the user clicks on a link then before opening a jsp page or servlet,should I check that the user has that priviledge on not?How should I check?

with regards,
ajse
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
The usual scenario would be not to include the links in the page if the user is not allowed to access them. It's confusing if a user is shown options and/or links she cannot access. Thus the JSP page would need to have knowledge of the users permissions during rendering.


Ping & DNS - my free Android networking tools app
Arvind Sampath
Ranch Hand

Joined: May 11, 2005
Posts: 144
If a user doesnt have access to a transaction, dont show the link. In addition to it, make sure that the user will not be able to access the transaction by an means, even by hook/crook.

Ideally each transaction should go through a Controller. The Controller will have to decide if the user is Authorized to perform that transaction. If you are using Struts, all your Action classes should extend a CommonAction class. In the first line of your Action class's execute method, invoke the execute() method of the Super class.

If you not using Struts, let all your servlets extend a common Controller Servlet, which does the authorization piece.


Arvind
ajse ruku
Ranch Hand

Joined: May 06, 2005
Posts: 193
Thanks for your post ULF but how the jsp page will determine wheather to show the link or not for a particular user
ajse ruku
Ranch Hand

Joined: May 06, 2005
Posts: 193
Thanks Arvind for your post,but in the execute method of the super class,how I will check who is the user logged in? Will it be through session object or anything else?
with regards,
ajse
Arvind Sampath
Ranch Hand

Joined: May 11, 2005
Posts: 144
It has to be through the session object. Create a Value Object class for maintaining the User Profile. The class will contain all the user info thats required like User Id, Name, Role, etc. When the user logs into the system load all the info in the UserProfile object and associate the object with his/her session.

The Controller while authorizing the user will get the UserProfile object from the session and will decide on further action.


Arvind
ajse ruku
Ranch Hand

Joined: May 06, 2005
Posts: 193
Hi Arvind,
As you said,for every click(say on a link) ,a user will go the action class and then the action class will determine where to forward the user.It means the link will be visible for all users.What if we disable or enable a link based on the user role?How we can do this?

with regards,
ajse
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
Like Arvind suggested, there would be a Session object, in which you keep all information about the user, e.g. the roles he is in. Since the session is available to JSP pages, you can base the rendering of the page on his authentication status.
[ August 02, 2006: Message edited by: Ulf Dittmer ]
ajse ruku
Ranch Hand

Joined: May 06, 2005
Posts: 193
Thanks guys for your help
 
wood burning stoves
 
subject: showing pages based on roles