user access management in j2ee web application

Question

Hi everyone, I am working with jsp/servlet project and i have to complete the module of access management to my jsps since I have more than one user with different profile. I defined a table in my database wich resume the profil and the url permitted like that:

id_profil :1 
url : http://localhost/...xyz.jsp
id page 1

Now I am trying to let the menu modified appropriately to the id_profil of the logged user.

So there are pages allowed in one profile but must be hidden to others. I have no idea since now how to realize this and it is so important for me.

thanks for your help.

Answer 1

It's kinda a vague exaplanation but you could use an if in your jsp to hide the menu options based on *id_profil*, something like this:

<c:if test="${currentUser.id_profil == 1}">
   <button label="Only id_profil 1"/>
</c:if>

Answer 2

Keep in mind that by changing the values shown by a menu, you aren't preventing a user from accessing a page directly -- even if the user can't get to xyz.jsp by dropping down a menu item, they can still enter xyz.jsp into the address bar of their browser. So you'll have to block the access in another way.

If you have any experience with Spring, or are considering implementing it, take a look at Spring Security. It can be used to limit user access rights to different parts of your application. It isn't terribly hard to implement if you are already familiar with Spring.

ETA: For some basics that don't involve Spring Security, check out security in web.xml: http://java.sun.com/javaee/5/docs/tutorial/doc/bncbe.html#bncbj