Re: [smartweb-devel] [smartweb-auth] How to customize application gui by user's role
Brought to you by:
rlogiacco
Menu
▾
▴
Re: [smartweb-devel] [smartweb-auth] How to customize application gui by user's role
|
From: Roberto Lo G. <rlo...@us...> - 2008-01-22 12:01:56
|
I've a proposal which delivers your request to it's maximum flexibility:
point-cut the Tag interface to allow constraints on a tag level basis.
In brief what I suggest is to use AOP to intercept calls to any JSP tag and
verify if a constraint exists on that tag: if the constraint is not verified
that tag is not executed at all and all it's contents are skipped.
Here follows an example JSP fragment from the registry module:
<html:form action="/registry/entry-save">
<html:hidden property="id"/><html:hidden property="version"/>
<bean:message key="entry.header.edit" bundle="registry"/>
<bean:message key="entry.display" bundle="registry"/><html:text
property="display" size="30"/>
<html:button titleKey="operation.remove.title" property="remove"
disabled="true"><bean:message key="operation.remove"/></html:button>
<html:cancel titleKey="operation.cancel.title"><bean:message
key="operation.cancel"/></html:cancel>
<html:submit titleKey="operation.complete.title"><bean:message
key="operation.complete"/></html:submit>
</html:form>
Using AOP we can control the GUI field by field, tag by tag on a per role
basis, like in the following security.xml example:
<security xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="security.xsd">
.
.
.
<roles>
<role id="user">
<description>Registered visitor</description>
<privilege resource="entry-edit.jsp" element="*" modifier="rwx"/>
<privilege resource="entry-edit.jsp" element="remove" modifier="r"/>
</role>
</roles>
</security>
The meaningful parts are the last two privileges of the "user" role:
- the first privilege allows the user to view, edit and execute every
element on the JSP
- the last privilege allows the user to only view the element marked
"remove" on the JSP
If you look back at the JSP the "remove" element in the JSP is a button and
the read-only permission says something like "show the button but make it
not executable" so the button should be displayed but in a disabled status.
The argument to this approach can be:
- it may be too flexible
- it may be hard to understand
- it may be difficult to implement
We are already investigating the last point but we appreciate your opinions
on the first two.
Gaetano Perrone wrote:
>
> I think u don't understand the solution i propose.
> The xml configuration file that associates user's role to function yet
> exists and was introduced with AOP domain methods authentication.
> The solution u propose ( <auth:valid role="role1" ) also exists yet but
> what i would avoid to specify the role in the jsp page parametrizing it by
> function name and configured (xml & AOP) role-function association. The
> advantage as i said in the previous post is that changing the role's
> function associate impacts only at configuration time and we must'nt need
> rediting N jsp pages source code
> :-)
>
--
View this message in context: http://www.nabble.com/-smartweb-auth--How-to-customize-application-gui-by-user%27s-role-tp14876789s17546p15017447.html
Sent from the SmartWeb Developers mailing list archive at Nabble.com.
|
