File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Struts and the fly likes Design Question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Design Question" Watch "Design Question" New topic

Design Question

O. Ziggy
Ranch Hand

Joined: Oct 02, 2005
Posts: 430

Ok here is a design question.

Ive got an application where users are given us to different areas of the application depending on their profile level. For example, all users with profile level 1 can add products to the database but not add customers. Users with profile level 2 can do both.

I have implemented this on the server side using the following technologies


What happens is before a method is executed on the server side, the servlets checks the users access level to verify that the Action can be executed.

On the client side the users see all link to all Actions. I would like to change this so that users can only see the links Actions/Servlet to which their profile level allow them to execute.

My question is what is the simplest way to do this? I have thought of the following solutions

1. Perform a check on the profile level through the jsp and verify the user is allowed to view this link. I know this will work but it will cause problems later in the future if changes are made to the application. This will also introduce a dependency between the front-end and the server side servlets in that i might need to make changes both on the front-end and the servlets.

2. Not display a page at all if the user is not allowed to view it. This is a problem because some pages contains several links. Some of which the user can execute and some they cant.

I would like to be able to enable/disable/display hyperlinks/buttons on the front-end based on the user's profile. Can someone suggest a solution whereby i can safely implement this while at the same time complying with the MVC concepts. i.e. the front end view does not depend on the actual processing on the serverside. Can this be done via xml? Or can struts be used to do this?

Thanks in advance.
vidya sagar
Ranch Hand

Joined: Mar 02, 2005
Posts: 580

I am not very good at designing....Anyhow i have some suggestions for U

Normally Links and/or Buttons only will differ for user to user based on their profile. so go for custom JSP for Links and/or Buttons and include in every Jsp Page.

For e.g

user level 1 : include level1.jsp in every jsp
user level 2 : include level2.jsp in every jsp

NOte:based on condition you make your includes in the jsp page.Conditions for include may taken from session variable, which u can set for him at login time.

If any changes only we want to change in one place,any addition level of users can be done at less pain

Hope it helps
O. Ziggy
Ranch Hand

Joined: Oct 02, 2005
Posts: 430


Some JSP will have links to which they are allowed and some links they wont be allowed. I believe the includes wont be able to hide specific hyperlinks.

The application i am developing has around 300 hyperlinks scattered around several content areas. Each hyperlink inititates a transaction in an oracle database. several people will be associated with different hyperlinks. The transactions associated to each user changes very frequent meaning the hyperlinks they see must change as well. If the rules that govern the access levels change, then i have to manually change all the hyperlinks in the JSP pages.

Take this as an example,

What happens if all managers are now allowed to access Admin features in the application? You will have to manually change each view component that refers to these roles. Is there a way to avoid this manual change?

The reason i have to avoid this is because the transactions associated to users in my application actually change very frequently.

To give you an idea of how this is stored in the database, here is an example of the data governing the rules.





The UserTransactions table governs which hyperlink (business transaction) the user can view. This table is updated every week sometimes everyday as of when required.

[ April 26, 2006: Message edited by: O. Ziggy ]
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
Here's one possible solution:

Create an Authorization bean that looks something like this:

Then in your jsp:

Where I have assigned "def" to the userId property, you may want to assign <cut value="${user.userId}" /> or something like that. Also, you may want to use actionId instead of transactionId as the first property of the Authorization bean. Anyway, I think you get the picture.

Consultant, Sima Solutions
I agree. Here's the link:
subject: Design Question
It's not a secret anymore!