Browse Prior Art Database

Instrumentation to implement read-only status in a web form in an authorization framework when only permit and deny exist

IP.com Disclosure Number: IPCOM000240816D
Publication Date: 2015-Mar-04
Document File: 2 page(s) / 34K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a mechanism to automate the instrumentation of a server file (for example, JSP) to allow access to fields in it to be managed by an authorization engine.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 56% of the total text.

Page 01 of 2

Instrumentation to implement read -

-only status in a web form in an authorization

                       only status in a web form in an authorization framework when only permit and deny exist

Authorization engines, such as Security Policy Manager, can specify access permissions for HTML files or parts of those files . So could regular JSP, when using roles. When users do not have the permission to do something , good UI practice is to avoid showing them that option. At present, that is typically done by manually editing the JSP (adding the lines in red).

For example, in this fragment, the second option will only be displayed if the user is a member of the manager

manager role.

Select what to do


Submit an expense report
Approve expense reports

Alternatively, this could be done using the SPM tag library . Here, the requirement is for the user to have permission to approve

approve on the resource expense

expense_report.

Select what to do


Submit an expense report
<tspm:authorize contextId="ctx" action="approve"
resource="expense_report">
Approve expense reports

In many cases, it makes business sense to give some people the ability to specify values in a form, whereas others get read only access, and yet others get no access.

Automatically instrument the JSP to provide three levels of access depending on the action allowed for the resource: write, read, or nothing.


1. Identify every form and every field. For example, if the form is

<

<form action

form action =" ="process

process.jsp"

">

>

Name: :

<input type

input type =" ="text text"

"

id

id id="

=" ="name name"

"

value

value=" ="< <<%= %= current

current_data. .name name %

% %> >>""">>

<

</ < //form

form>

Identify a single field and call it process

process.jsp- -name

name.

1


Page 02 of 2


2. For every such field that has a v...