Implementing access control policies in views

Resource-level access control for views is performed by the data bean manager. The data bean manager is invoked in the following cases: When the JSP template includes the <useBean> tag and the data bean is not in the attribute list. When the JSP template includes the following activate method: DataBeanManager.activate(xyzDatabean, request);

About this task

Any data bean that is to be protected (either directly or indirectly) must implement the Delegator interface. Any data bean that is to be directly protected will delegate to itself, and thus must also implement the Protectable interface. Data beans that are indirectly protected should delegate to a data bean that implements the Protectable interface.

While it is not recommended, a bypass of the access control checks occurs in the following cases:

  1. If the JSP template makes direct calls to access beans, rather than using data beans.
  2. If the JSP template invokes the data bean's populate() method directly.

If the results of a controller command are to be forwarded to a view (using the ForwardViewCommand), then command-level access control is not performed on the views. Furthermore, if the controller command puts the populated data beans (that are used in the view) on the attribute list of the response property and then forwards to a view, the JSP template can access the data without going through the data bean manager. This does require that the <useBean> tags are used in the JSP template. This can be a way to make a JSP template more efficient, since it can bypass any redundant resource-level access control checks on resources (data beans) to which the user has already been granted access via the controller command.