Does such a JSP Tag exist: page element-level authorization

[JonTheBaller]

I am looking for a JSP tag that I can pass as a parameter an element ID (for example, the ID of an image, button, hyperlink, textbox, etc.). The JSP tag will check this ID against an XML file listing all roles that are allowed to view that element. The XML file will of course have been created beforehand by the site admin. If the current user that is signed in to the site is in an authorized role, then it will show the content that is between the tags, if not, it will hide the content. For example:

<tagageLevelSecurity elementID="myImage">

<img src="..." id="myImage" />

</tagageLevelSecurity>

If the XML file states that user theUser in role theRole is allowed to see myImage, then myImage will be displayed, otherwise the body of the tag will be ignored.

TIA!

 

[manly]

Sounds like a custom tag to me.

 

[JonTheBaller]

Does such a custom tag exist?

 

[manly]

A custom tag is something you write yourself. The API is not very difficult to learn; but before you go about writing a tag library, I would first consider if this is the correct design.

 

[JonTheBaller]

Originally posted by: manly
A custom tag is something you write yourself. The API is not very difficult to learn; but before you go about writing a tag library, I would first consider if this is the correct design.

Why do you suggest this might not be a correct design?

 

[AmigaMan]

You might want to try searching http://www.servletsuite.com/jsp.htm. If you can't find it here, choose any of these custom tags as an example and write one yourself.

 

[JonTheBaller]

Originally posted by: AmigaMan
You might want to try searching http://www.servletsuite.com/jsp.htm. If you can't find it here, choose any of these custom tags as an example and write one yourself.

ygpm

 

[Armitage]

Ok, I know nothing about JSP. But doesn't it have some sort of if...else structure? Rather then embed this logic in a custom tag, it would seem more maintainable to me to simply put the security check in an if() statement.

 

[kamper]

Originally posted by: Armitage
Ok, I know nothing about JSP. But doesn't it have some sort of if...else structure? Rather then embed this logic in a custom tag, it would seem more maintainable to me to simply put the security check in an if() statement.

The whole idea of jsp is to remove programming logic from the display layout. To this end I would even suggest not having a body for this tag but simply including the relevant info about the image in the tag parameters and have the tag implementation generate the proper html if required. Or maybe not, whatever works...

 

[manly]

Originally posted by: johnnytightlips

Originally posted by: manly
A custom tag is something you write yourself. The API is not very difficult to learn; but before you go about writing a tag library, I would first consider if this is the correct design.

Why do you suggest this might not be a correct design?

The dynamic content generation logic sounds fine.

But J2EE already has a rich security API; I don't think you need to write your own primitive authentication library if one is already available.