• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Design Question

Ranch Hand
Posts: 430
Android VI Editor Debian
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok here is a design question.

Ive got an application where users are given us to different areas of the application depending on their profile level. For example, all users with profile level 1 can add products to the database but not add customers. Users with profile level 2 can do both.

I have implemented this on the server side using the following technologies


What happens is before a method is executed on the server side, the servlets checks the users access level to verify that the Action can be executed.

On the client side the users see all link to all Actions. I would like to change this so that users can only see the links Actions/Servlet to which their profile level allow them to execute.

My question is what is the simplest way to do this? I have thought of the following solutions

1. Perform a check on the profile level through the jsp and verify the user is allowed to view this link. I know this will work but it will cause problems later in the future if changes are made to the application. This will also introduce a dependency between the front-end and the server side servlets in that i might need to make changes both on the front-end and the servlets.

2. Not display a page at all if the user is not allowed to view it. This is a problem because some pages contains several links. Some of which the user can execute and some they cant.

I would like to be able to enable/disable/display hyperlinks/buttons on the front-end based on the user's profile. Can someone suggest a solution whereby i can safely implement this while at the same time complying with the MVC concepts. i.e. the front end view does not depend on the actual processing on the serverside. Can this be done via xml? Or can struts be used to do this?

Thanks in advance.
Ranch Hand
Posts: 580
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I am not very good at designing....Anyhow i have some suggestions for U

Normally Links and/or Buttons only will differ for user to user based on their profile. so go for custom JSP for Links and/or Buttons and include in every Jsp Page.

For e.g

user level 1 : include level1.jsp in every jsp
user level 2 : include level2.jsp in every jsp

NOte:based on condition you make your includes in the jsp page.Conditions for include may taken from session variable, which u can set for him at login time.

If any changes only we want to change in one place,any addition level of users can be done at less pain

Hope it helps
O. Ziggy
Ranch Hand
Posts: 430
Android VI Editor Debian
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Some JSP will have links to which they are allowed and some links they wont be allowed. I believe the includes wont be able to hide specific hyperlinks.

The application i am developing has around 300 hyperlinks scattered around several content areas. Each hyperlink inititates a transaction in an oracle database. several people will be associated with different hyperlinks. The transactions associated to each user changes very frequent meaning the hyperlinks they see must change as well. If the rules that govern the access levels change, then i have to manually change all the hyperlinks in the JSP pages.

Take this as an example,

What happens if all managers are now allowed to access Admin features in the application? You will have to manually change each view component that refers to these roles. Is there a way to avoid this manual change?

The reason i have to avoid this is because the transactions associated to users in my application actually change very frequently.

To give you an idea of how this is stored in the database, here is an example of the data governing the rules.





The UserTransactions table governs which hyperlink (business transaction) the user can view. This table is updated every week sometimes everyday as of when required.

[ April 26, 2006: Message edited by: O. Ziggy ]
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here's one possible solution:

Create an Authorization bean that looks something like this:

Then in your jsp:

Where I have assigned "def" to the userId property, you may want to assign <c:out value="${user.userId}" /> or something like that. Also, you may want to use actionId instead of transactionId as the first property of the Authorization bean. Anyway, I think you get the picture.
She'll be back. I'm just gonna wait here. With this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
    Bookmark Topic Watch Topic
  • New Topic