Manage field level access control in J2EE applications

Discussions

News: Manage field level access control in J2EE applications

  1. J2EE provides access to servlet and EJB resources based on user roles, but provides no similar capabilities to presentation-level elements. JSecure is a JSP custom tag library that provides field-level access control in J2EE applications. It is a collection of html-like controls that take responsibility of rendering the field contents. Basically, the tags allow specification of roles in JSP, and only those roles will have read or write access to the fields. An example of the viewblock tag, showing that the users possessing the admin or super roles can see the text:
    <jsecure:viewblock allowed="admin,super"> Hello! XYZ... </jsecure:viewblock>
    The other tags provide similar capabilities, allowing read-only or write access by user role. For more details, see "Field-Level Role-based security for J2EE Applications." Message was edited by: joeo@enigmastation.com
  2. Is it some like this http://www.servletsuite.com/servlets/roletag.htm ? Dmitry Coldbeans
  3. Is it some like this http://www.servletsuite.com/servlets/roletag.htm ?


    Dmitry
    Coldbeans
    Or in Wicket:
    /** * A panel that is only visible for users with role ADMIN or USER. */ @AuthorizeAction(action = Action.RENDER, roles = {Roles.ADMIN, Roles.USER}) private static final class ForAdminsAndUsers extends Panel { ...
    Has nothing to do with JSP though :)
  4. Is it some like this http://www.servletsuite.com/servlets/roletag.htm ?


    Dmitry
    Coldbeans
    This is the servlet that'll render contents if the user is super or admin. The JSecure is DIFFERENT. It is set of tags like viewblock, input, select, textarea. ViewBlock tag of JSecure is similar to roletag servlet that can hide itself based on the user (However one page can contain multiple viewblocks for different roles and the roletag servlet can't do this). The other tags can perform 4 operations based on the roles. 1- Display full if the user have full access on the field 2- Display READONLY if the user have readonly access. 3- Hide if the user have no access 4- Persist their values if form is submitted to the same page. For more details, visit www.solutionsperfect.com/Products.html and vlick on view demo link or download trial and run demos yourself. --Altaf Malik
  5. No, it is not a servlet. It is a tag :-). And you can use it many times over the page of course
  6. Malik, what if we are already using Struts framework in web application and can still we use propsed tag library to achive field level security? Is there any mechanism available to apply two tags of seperate library on one HTML element ?? jamshaid www.d-p-s.com
  7. Malik,
    what if we are already using Struts framework in web application and can still we use propsed tag library to achive field level security? Is there any mechanism available to apply two tags of seperate library on one HTML element ??

    jamshaid
    www.d-p-s.com
    Of course we can use JSecure within any standard jsp tag. That means that if you have a tag of some other tag library (*That supports JSP contents of course) You can use JSecure. All tags of the JSecure accept full JSP contents in body. That means you can have as many variations of tags as possible within JSecure. Frankly speaking, i feel there is something missing in your question. Do you want the SAME struts html element be interpreted by two different tags??? If yes, You can only put that Struts tag under a viewblock element of JSecure, and let it display or hide itself. Readonly properties wont work in that case.
  8. Thanks for posting the article. Role based access control is important in many application and is a topic is not well understood. Having a JSP tag lib is certainly a useful way to facilitate this and make it available to the developers. I have been involved in the creation of an identity and access management solution for the past few years. Our objectives were to offer RBAC at the various levels - urls in an applications, pages and fields. In reading your article, I have a question - Are the permissions defined in the tag itself? Does this mean that people in the admin role have readonly access and full control to all those who are not in that role? How would you handle a change in access level based on business needs? Does that mean that you would have to manually change the jsp page and redeploy the application? In my experience, we have found that business needs a more flexible model where changes in policy can be made without having to disrupt the application. I would love to hear your thoughts on this. Regards Ameet Shah Diamelle Technologies www.diamelle.com
  9. Thanks for posting the article. Role based access control is important in many application and is a topic is not well understood. Having a JSP tag lib is certainly a useful way to facilitate this and make it available to the developers.

    I have been involved in the creation of an identity and access management solution for the past few years. Our
    objectives were to offer RBAC at the various levels - urls in an applications, pages and fields. In reading your article, I have a question - Are the permissions defined in the tag itself?



    Does this mean that people in the admin role have readonly access and full control to all those who are not in that role? How would you handle a change in access level based on business needs? Does that mean that you would have to manually change the jsp page and redeploy the
    application? In my experience, we have found that business needs a more flexible model where changes in policy can be made without having to disrupt the application. I would love to hear your thoughts on this.

    Regards

    Ameet Shah
    Diamelle Technologies
    www.diamelle.com
    Yes you are right. The roles need to be hard-coded. The current version does not support *Persistent permissions. We have implemented some patterns to support this feature and they are under UAT (User Acceptance Testing). A more sophisticated version of the library will be released soon and the existing customers will get a free update.