{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 劫难 的问题《Scriptlets in a JSP Page to Access an Authorizatio》','https://www.manongdao.com/q-1025329.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
So I'm basically looking for advise on how I could improve on a solution.
Some Background First,
I developed an simple in-house authorization framework to control access and behavior in a Java/J2EE based application where the framwork could my used in any the Model, View or Controller layers.
When the user logs in they are passed a User Permission object based on their assigned role. (Default is always deny). The permissions consist of a Subject (enum) as well as a list of optional permissions (Create, Read, Update, Delete...).
In some places this is used to control the display of screen elements, in others it's combined with Strategy patterns to control system behavior based on the User's role.
In the JSP layer I access it via Scriptlets because the Code Complete option makes sure that a user doesn't enter a value that's not defined in the framework.
Code Example:
<% if (user.can(Permission.somePermission, Subject.subjectOfPermission)) { %>
<td >
...display something if the User can Access the Subject
</td>
<% } %>
<% if (user.cannot(Permission.somePermission, Subject.subjectOfPermission)) { %>
...display something if the User cannot Access the Subject
<% } %>
What I'm curious to find is if there is a better way to do this? I've heard the mantra, "You shouldn't use scriptlets. Everything should be done with JSTL and Custom Tags".
However, it seems to me that by using Custom Tags I loose the advantage of using Code Complete as well as enforcing the framework's contract. To me, passing Strings to a Custom Tag only adds an extra layer of abstraction (to an abstract framework) and increases the chance of a mistake since we're now working with simple Strings.
Is there a way to create custom tag that would take Enum's as parameters or an alternate solution avoiding this altogether?
You could use EL for this. The way to do this is by first importing the core tag library, by putting this in the head of your jsp view.
Put your subject + permission(s) for that user in a hashmap, and make a function hasPermission, that returns whether or not the user has the permission.
In your servlet, you have to put the user object in an attribute of the request by using
Afterwards, you can access them like this in your view.