Java Reference
In-Depth Information
the User that is logged in, the data is not set in the action bean and
therefore not shown to the user.
The verifications are done in each setter method, because that is what
gets called after the data has been loaded from the database. Here's
how we prevent users from seeing other people's folders:
Download email_34/src/stripesbook/action/BaseActionBean.java
public void setFolder(Folder folder) {
if (getUser().equals(folder.getUser())) {
getContext().setCurrentFolder(folder);
}
}
If the folder is owned by another user, it is not set as the current folder
and not shown in the JSP. Similarly, from a Message , we can get the
corresponding Folder and, from there, the owning User , and we can use
the same logic in the setter method for a Message :
Download email_34/src/stripesbook/action/MessageDetailsActionBean.java
public void setMessage(Message message) {
if (getUser().equals(message.getFolder().getUser())) {
this .message = message;
}
}
Finally, preventing users from seeing other people's contacts works
almost in the same way, except that we also have to check that the
User is not null . Indeed, when the user is creating a new contact, set-
Contact ( ) is called before the contact is saved so the user has not been
associated to the contact yet.
Download email_34/src/stripesbook/action/ContactBaseActionBean.java
public void setContact(Contact contact) {
User user = contact.getUser();
if (user == null || getUser().equals(user)) {
this .contact = contact;
}
}
With these checks for ownership, users cannot meddle in other peo-
ple's business. We now have some pretty good security measures in the
webmail application.
 
 
Previous Page
Next Page
Stripes...and Java Web Development is Fun Again
Search WWH ::




Custom Search
Home