• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Stupid question, however it's sophisticated

 
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dear All,

I just got a Web Application Project from other people's hand. It basically use Jsp, Servlet and JavasCRIPT TO implement. It has it's own logon page to check the access right of the users. Some groups might have powerful right that they can view all the menus, but some are not.

I just view the code of the logon page, I found out the previous programmer "Hard_Coded" the user group from the jsp. I am wondering if it's the right way to do it. So what if the groups keep appending, and all of them has different menus ? Here is the tedious code:



That is super tedious to me, do you guys has any good suggestion to implement those logic better than the above code ? Since I hate hard-code.

Myriad Thanks

Transistor
[ April 02, 2006: Message edited by: Bear Bibeault ]
 
author
Posts: 288
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Use a combination of Custom Tags (like JSTL tags), Java classes (where logic resides (can use polymorphism to avoid if.. else constructs) and .properties file where hard coded values reside (can use an observable pattern to reload the properties file without stopping the server).
 
(instanceof Sidekick)
Posts: 8791
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You're right, that code is going bad places. It's hard to maintain and eas to hack. First, hide the mechanism to determine priviledges inside some kind of security utility:

if ( SecurityManager.hasPermission( userid, "MenuA" ) ) ...

One common data structure behind this kind of thing is

a user belongs to one or more groups
a group has one or more resources
a resource is something like MenuA or WriteLargeCheck

In a basic setup, a user can access a resource if any of the groups he belongs to has a link. It's a simple SQL query if your db matches nicely.

In more sophisticated systems the group maps to resource in a way that grants or denies permission to create, read, update, delete, execute, etc on the resource, and the SecurityManager finds the most *restrictive* path.

I like the custom tag idea if you need this API in JSPs, but we prefer to push this logic into controllers. We cache security stuff to avoid hitting the db too much, but we have a way to clear the cache and pick up new updates.

Any of that sound useful?
[ April 03, 2006: Message edited by: Stan James ]
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic