users@glassfish.java.net

Re: secutiry roles set up using session variable

From: Aleksandras Novikovas <an_at_systemtier.com>
Date: Fri, 23 Jan 2009 19:56:46 +0200

Hi,
Check user type on admin page render.
If it is not - return HTTP error code 403 (forbidden).

-
Aleksandras Novikovas



On Fri, 2009-01-23 at 09:21 -0800, glassfish_at_javadesktop.org wrote:
> Hello All,
>
> I am creating a JAVA EE application and I have a session level bean called MyApplicationSessionBean.
>
> MyApplicationSessionBean.Java has the following:
>
> private String userType;
>
> public getuserType()
> {
> //business logic here to decide what type of user
> //uses database for deciding what type of user
> return userType;
> }
>
> userType can be either "admin", "customer", "anonymous" etc...
>
> Now...I have the following link
>
> http://myapplication/myapp/admin.jsp
>
> this link should be viewable and available only for user of type "admin"
>
> so on my site..I have menu tabs and one of the tabs is "Admin Section"...if the user clicks that he will be going to admin.jsp link shown above...
>
> what I did is...I made this admin tab available to only admin users using rendered="#{mysessionBean.userType='admin'}"
>
> so when a customer logs in, he would not see the tab...
>
> but when the customer goes to the admin.jsp link by typing the URL, he or she can access the page contents...
>
> how can I restrict that...
>
> thanks
>
> -Amor
> [Message sent by forum member 'amorous' (amorous)]
>
> http://forums.java.net/jive/thread.jspa?messageID=327879
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>