Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
RE: [aspectj-users] advising JSP's

The way my design worked was to have advice or a Servlet Filter wrap the output stream and buffer output until a complete UI control was emitted. I relied on there being other code (another aspect) that threw a security exception if the user didn’t have permission to view the given information. I.e., when rendering the control, I made sure it threw an exception if the user didn’t have the right permissions.

 

If you are still having the user explicitly include a custom JSP tag for a permission check, can’t it just evaluate role membership and either include or skip the body appropriately? I.e., what behavior are you seeking to achieve with an aspect?

 

I know of two reasonable strategies to control JSP or other forms of markup output in a crosscutting manner:

1. Refactor into custom tags, and advise the Java code for those tags

2. Filter the output stream (either with advice that decorates them on creation or by wiring in with a Servlet Filter through multiple layers: something which I found worse than the aspect approach)

 

You can also combine 1+2. IMHO, this is an area where you can apply aspects but it’s not simple because you don’t have something like AspectJSP that lets you match natural joinpoints in a JSP. Instead you can work on the generated mark up or the generated Java code…

 

From: aspectj-users-bounces@xxxxxxxxxxx [mailto:aspectj-users-bounces@xxxxxxxxxxx] On Behalf Of Mohan Radhakrishnan
Sent: Monday, February 13, 2006 8:26 PM
To: aspectj-users@xxxxxxxxxxx
Subject: Re: [aspectj-users] advising JSP's

 

Hi,

       Thanks Ron. My gmail client sometimes does not receive my posts. So I sent a duplicate.

 

       Are you intercepting the tags before the servlets are generated ? In my case there is no

securityexception. The html control either appears or not based on the role.

 

 

 

Mohan

 

On 2/13/06, Ron Bodkin <rbodkin@xxxxxxxxxxxxxx> wrote:

Hi Mohan,

 

I'm assuming you are hoping to replace the use of JSP tags here. I've prototyped doing this kind of field-level security. When I did it, I did it based on the content being produced, with a strategy like this: look for tags that indicate the start & end of a UI control, buffer input while reading a control, if a security exception appears mark this control as "not present".

 

I think it would be hard to do this based on the calls to writing to a stream, typically it's the markup content that matters here.

 

p.s. I received both of your emails

 

From: aspectj-users-bounces@xxxxxxxxxxx [mailto:aspectj-users-bounces@xxxxxxxxxxx] On Behalf Of Mohan Radhakrishnan
Sent: Monday, February 13, 2006 2:35 AM
To: aspectj-users@xxxxxxxxxxx
Subject: [aspectj-users] advising JSP's

 

Hi,

     I have several JSP's that display certain fields based on the role of the login user. So I use tags like this

 

<logic:notPresent role="admin">

 

I want to isolate this concern and weave it into the servlets generated from the JSP's.  But I found that the generated servlets are pretty complex.

How do you handle this type of weaving ? Appreciate any suggestions.

 

Thanks,

Mohan


_______________________________________________
aspectj-users mailing list
aspectj-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/aspectj-users

 

Back to the top