I just view the code of the logon page, I found out the previous programmer "Hard_Coded" the user group from the jsp. I am wondering if it's the right way to do it. So what if the groups keep appending, and all of them has different menus ? Here is the tedious code:
That is super tedious to me, do you guys has any good suggestion to implement those logic better than the above code ? Since I hate hard-code.
Use a combination of Custom Tags (like JSTL tags), Java classes (where logic resides (can use polymorphism to avoid if.. else constructs) and .properties file where hard coded values reside (can use an observable pattern to reload the properties file without stopping the server).
You're right, that code is going bad places. It's hard to maintain and eas to hack. First, hide the mechanism to determine priviledges inside some kind of security utility:
if ( SecurityManager.hasPermission( userid, "MenuA" ) ) ...
One common data structure behind this kind of thing is
a user belongs to one or more groups a group has one or more resources a resource is something like MenuA or WriteLargeCheck
In a basic setup, a user can access a resource if any of the groups he belongs to has a link. It's a simple SQL query if your db matches nicely.
In more sophisticated systems the group maps to resource in a way that grants or denies permission to create, read, update, delete, execute, etc on the resource, and the SecurityManager finds the most *restrictive* path.
I like the custom tag idea if you need this API in JSPs, but we prefer to push this logic into controllers. We cache security stuff to avoid hitting the db too much, but we have a way to clear the cache and pick up new updates.
Any of that sound useful? [ April 03, 2006: Message edited by: Stan James ]
A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi