The way my design worked was to have advice
or a Servlet Filter wrap the output stream and buffer output until a complete
UI control was emitted. I relied on there being other code (another aspect) that
threw a security exception if the user didn’t have permission to view the
given information. I.e., when rendering the control, I made sure it threw an
exception if the user didn’t have the right permissions.
If you are still having the user
explicitly include a custom JSP tag for a permission check, can’t it just
evaluate role membership and either include or skip the body appropriately?
I.e., what behavior are you seeking to achieve with an aspect?
I know of two reasonable strategies to control
JSP or other forms of markup output in a crosscutting manner:
1. Refactor into custom tags, and advise
the Java code for those tags
2. Filter the output stream (either with
advice that decorates them on creation or by wiring in with a Servlet Filter through
multiple layers: something which I found worse than the aspect approach)
You can also combine 1+2. IMHO, this is an
area where you can apply aspects but it’s not simple because you don’t
have something like AspectJSP that lets you match natural joinpoints in a JSP.
Instead you can work on the generated mark up or the generated Java code…
From:
aspectj-users-bounces@xxxxxxxxxxx [mailto:aspectj-users-bounces@xxxxxxxxxxx] On Behalf Of Mohan Radhakrishnan
Sent: Monday, February 13, 2006
8:26 PM
To: aspectj-users@xxxxxxxxxxx
Subject: Re: [aspectj-users]
advising JSP's
Thanks Ron. My gmail client
sometimes does not receive my posts. So I sent a duplicate.
Are you intercepting the tags
before the servlets are generated ? In my case there is no
securityexception. The html control either appears or not based on the
role.
On 2/13/06, Ron
Bodkin <rbodkin@xxxxxxxxxxxxxx>
wrote:
Hi Mohan,
I'm assuming you are hoping to replace the use of JSP tags
here. I've prototyped doing this kind of field-level security. When I did it, I
did it based on the content being produced, with a strategy like this: look for
tags that indicate the start & end of a UI control, buffer input while
reading a control, if a security exception appears mark this control as
"not present".
I think it would be hard to do this based on the calls to
writing to a stream, typically it's the markup content that matters here.
p.s. I received both of your emails
I have several JSP's that display certain fields based on the role of the login
user. So I use tags like this
<logic:notPresent
role="admin">
I want to
isolate this concern and weave it into the servlets generated from the
JSP's. But I found that the generated servlets are pretty complex.
How do
you handle this type of weaving ? Appreciate any suggestions.
_______________________________________________
aspectj-users mailing list
aspectj-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/aspectj-users