Security - Screen level vs Data element level

Hi,

We require that certain data elements be shown to some users, for some users not even view permission, while some users have modify, read and delete permissions to it.

We are trying to implement security for our application. Which is the better approach?

To implement it at the screen level using the security-constraint of the web.xml or at the Data element level in the Data model.

Thanks

Using a screen-level security constraint you will not be able to show/hide different controls on the same screen based on the user role.
On the other hand, checking security at the data model level will be irritating as a user is allowed to click a link but when he clicks, he gets a access denied exception. I will get frustrated using such a screen !!

So, one way of handling will be to guard every protected resource/controls with a scriptlet that checks for the permissions assigned to a user.(You can have a JAAS based model for associtaing users and permissions)
However, doing a double check in the data model will make it full proof. So that if any security check is missed on the UI, it gets caught at the backend. You can use the same security model(eg: JAAS) for both the type of checks.
[ April 19, 2007: Message edited by: Nitesh Kant ]

On the other hand, checking security at the data model level will be irritating as a user is allowed to click a link but when he clicks, he gets a access denied exception.

Why would you show a UI element to the user if he isn't allowed to use it? The benefit of working at the data level is that this doesn't need happen.

JAAS is supposed to be the be-all and end-all of security frameworks, but it gets quite complex. If you're set to use it, have a look at jGuard (on SourceForge), which adapts and simplifies it for web applications.

You haven't told us what you are trying to protect, as you were in this duplicate thread. In the future, please don't post the same question multiple times.

Thanks Nitesh.

Ulf, I am trying to show some data elements to the admin, which can be edited also, but for manager only view permission, for users not even view.
For Example: I need to show the Credit Card Info & SSN, to the Admin and also leave it editable, where as a manager can only view this data for any user and a user will not be able to see this, unless it is his own.

We are planning to use struts. Can this be done using action mapping & beans. I may need to use role based access control too in addition.

Please advice.

Thanks