aspose file tools*
The moose likes JSP and the fly likes How to distinguish session attributes? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "How to distinguish session attributes?" Watch "How to distinguish session attributes?" New topic
Author

How to distinguish session attributes?

E Blietzcreg
Greenhorn

Joined: Dec 16, 2013
Posts: 4
In login servlet side I have 2 conditions to check if user is simpe or admin.


I set 2 different attributes for them,how to distinguish the attributes for example in index JSP page to show different content/site design/etc?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42608
    
  65
Welcome to JavaRanch.

Why use different attribute names? You can use the EL with a JSTL <c:if> like this:

or a <c:choose> if you need to take action whether or not a user is an admin user.


Ping & DNS - my free Android networking tools app
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16240
    
  21

One of the advantages of using the J2EE standard security system is that you don't have to do any of that. You don't even have to write a login method. AND, it's a LOT more secure that an do-it-yourself security system. Most of them aren't secure at all.

Just define what URLs are admin-only and map an administrator role to them in WEB-INF/web.xml.


Customer surveys are for companies who didn't pay proper attention to begin with.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42608
    
  65
That wouldn't solve the problem of how to display content meant for specific user groups in a particular JSP, though (which in my experience is a common thing to want to do).

You should take Tim's advice and hook into the container-provided security, though. If you then use a library like Apache Shiro for security, you get JSP tags that let you do exactly what you're asking for: http://shiro.apache.org/web.html#Web-taglibrary
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16240
    
  21

In addition to shiro, some of the various J2EE webapp frameworks also hook into the J2EE standard (container) security system. Struts is a good example. JavaServer Faces (JSF) is not, but it has more server-side rendering control which presumably makes up for it.

Be aware, however, that suppressing the rendering of sensitive parts of a form is only secure in that it does not display data to unauthorized persons. A malicious person can easily hack in missing form fields that update sensitive data, so if the page in question is vulnerable to that, then the request-handling code has to verify that the user is authorized to change the sensitive data. That is normally done by using the HttpServletRequest isUserInRole() method to determine whether the user has an administrator role or something similar.

I have been known to also define "auditor" security roles so that a third-party inspector can look at, but not update data.
E Blietzcreg
Greenhorn

Joined: Dec 16, 2013
Posts: 4
Thanks for the answers. I understand that this approach is not secured and not commonly used,but the problem is that i use TAGS for a dynamic web, adding the navigation links,content,etc. I just want to know if is there a possibility to distinguish a user by a session attributes?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42608
    
  65
What is the "problem" about using tags? I'm not sure I understand what you mean by that. Why would they preclude using one of the approaches mentioned above?
E Blietzcreg
Greenhorn

Joined: Dec 16, 2013
Posts: 4
Well i'll try using SHIRO then, but no one answered the question,though all offering alternatives ;D
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42608
    
  65
The reason nobody answered your original question is because you'd have to do some kind of "instanceof" check in the JSP - and that's not what JSPs are for. The first solution would be to have just one object type, from which you can get all the information you need, no matter what kind of user it is. The second (much better, IMO) solution is to hook into the container's managed security, and use the Shiro tags on top of that.
E Armitage
Rancher

Joined: Mar 17, 2012
Posts: 892
    
    9
E Blietzcreg wrote:Well i'll try using SHIRO then, but no one answered the question,though all offering alternatives ;D

You can access session attributes in the JSP if you want to. Is your question how to use expression language to access session attributes?
You were given alternatives because they are all better than what you are trying to do.
E Blietzcreg
Greenhorn

Joined: Dec 16, 2013
Posts: 4
E Armitage wrote:
E Blietzcreg wrote:Well i'll try using SHIRO then, but no one answered the question,though all offering alternatives ;D

You can access session attributes in the JSP if you want to. Is your question how to use expression language to access session attributes?
You were given alternatives because they are all better than what you are trying to do.


Yes i want to know how exactly to access the attributes.
E Armitage
Rancher

Joined: Mar 17, 2012
Posts: 892
    
    9
There are implicit objects one of which is called sessionScope. You access its values using . Note that using fine grained values in session is anti-pattern and so should be avoided.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How to distinguish session attributes?