So I'm basically looking for advise on how I could improve on a solution.
Some Background First,
I developed an simple in-house authorization framework to control access and behavior in a Java/J2EE based application where the framwork could my used in any the Model, View or Controller layers.
When the user logs in they are passed a User Permission object based on their assigned role. (Default is always deny). The permissions consist of a Subject (enum) as well as a list of optional permissions (Create, Read, Update, Delete...).
In some places this is used to control the display of screen elements, in others it's combined with Strategy patterns to control system behavior based on the User's role.
In the JSP layer I access it via Scriptlets because the Code Complete option makes sure that a user doesn't enter a value that's not defined in the framework.
Code Example:
<% if (user.can(Permission.somePermission, Subject.subjectOfPermission)) { %>
<td >
...display something if the User can Access the Subject
</td>
<% } %>
<% if (user.cannot(Permission.somePermission, Subject.subjectOfPermission)) { %>
...display something if the User cannot Access the Subject
<% } %>
What I'm curious to find is if there is a better way to do this? I've heard the mantra, "You shouldn't use scriptlets. Everything should be done with JSTL and Custom Tags".
However, it seems to me that by using Custom Tags I loose the advantage of using Code Complete as well as enforcing the framework's contract. To me, passing Strings to a Custom Tag only adds an extra layer of abstraction (to an abstract framework) and increases the chance of a mistake since we're now working with simple Strings.
Is there a way to create custom tag that would take Enum's as parameters or an alternate solution avoiding this altogether?
