• Post Reply Bookmark Topic Watch Topic
  • New Topic

Stupid question, however it's sophisticated  RSS feed

 
YuenLian Wu
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear All,

I just got a Web Application Project from other people's hand. It basically use Jsp, Servlet and JavasCRIPT TO implement. It has it's own logon page to check the access right of the users. Some groups might have powerful right that they can view all the menus, but some are not.

I just view the code of the logon page, I found out the previous programmer "Hard_Coded" the user group from the jsp. I am wondering if it's the right way to do it. So what if the groups keep appending, and all of them has different menus ? Here is the tedious code:



That is super tedious to me, do you guys has any good suggestion to implement those logic better than the above code ? Since I hate hard-code.

Myriad Thanks

Transistor
[ April 02, 2006: Message edited by: Bear Bibeault ]
 
ak pillai
author
Ranch Hand
Posts: 288
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use a combination of Custom Tags (like JSTL tags), Java classes (where logic resides (can use polymorphism to avoid if.. else constructs) and .properties file where hard coded values reside (can use an observable pattern to reload the properties file without stopping the server).
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You're right, that code is going bad places. It's hard to maintain and eas to hack. First, hide the mechanism to determine priviledges inside some kind of security utility:

if ( SecurityManager.hasPermission( userid, "MenuA" ) ) ...

One common data structure behind this kind of thing is

a user belongs to one or more groups
a group has one or more resources
a resource is something like MenuA or WriteLargeCheck

In a basic setup, a user can access a resource if any of the groups he belongs to has a link. It's a simple SQL query if your db matches nicely.

In more sophisticated systems the group maps to resource in a way that grants or denies permission to create, read, update, delete, execute, etc on the resource, and the SecurityManager finds the most *restrictive* path.

I like the custom tag idea if you need this API in JSPs, but we prefer to push this logic into controllers. We cache security stuff to avoid hitting the db too much, but we have a way to clear the cache and pick up new updates.

Any of that sound useful?
[ April 03, 2006: Message edited by: Stan James ]
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!