View Forum Topic

Forums
CS520
Security - Accessing JSPs

Author	Message
vishalmohite Posts: 5	Posted 22:26 Jun 03, 2009 \| Hello Professor, I have some problems with my security stuff. Actually, I got my ACCESS DENIED part working for both blog entry and comment with the help of method access decision voters. I have these write permissions on saveBlogEntry/saveComment, so they are invoked only when these methods are called. Now the problem is, if any user apart from the owner or admin knows the URL for add or edit, he is still able to get to the JSP page and gets the ACCESS DENIED message only after he submits the page. I think I need to write a BusinessObjectAccessVoter to handle the read permissions. Now unlike getEnrollmentById, I can't have these read permissions for getBlogEntryById or getCommentById because these methods are also used by the view controllers apart from the add/edit controllers. So how do I manage this? Thanks, Vishal
cysun Posts: 2935	Posted 00:03 Jun 04, 2009 \| vishalmohite wrote: Hello Professor, I have some problems with my security stuff. Actually, I got my ACCESS DENIED part working for both blog entry and comment with the help of method access decision voters. I have these write permissions on saveBlogEntry/saveComment, so they are invoked only when these methods are called. Now the problem is, if any user apart from the owner or admin knows the URL for add or edit, he is still able to get to the JSP page and gets the ACCESS DENIED message only after he submits the page. This is fine. There's nothing on the edit page that needs to be secured. As long as you block the submit, it's fine. I think I need to write a BusinessObjectAccessVoter to handle the read permissions. ... You don't need to do that.
vishalmohite Posts: 5	Posted 00:12 Jun 04, 2009 \| oh ok...Thanks Professor