ExtJS和页面授权（服务器端） [英] ExtJS and page authorization (server-side)

问题描述

我正在寻找有关如何使用ExtJS 4实现安全页面的信息。通过安全页面我的意思是用户将使用Siteminder（SSO）登录我们的网站，因此我们将拥有用户的身份。然后，我们将通过进行数据库/ LDAP调用并仅渲染用户可访问的视图/组件来确定用户将具有的角色。

需要考虑几个问题：

1）当然，我希望我们会做授权检查在渲染服务器端的页面之前，您如何在触发Ext.onReady（）之前做到这一点？我需要ExtJS等待服务器的响应？

2。）组织页面组件的最佳方法是什么，可能是某人可能会看到特定的组件，另一个人不能？

3。）如何将结果页面（即用户有权访问的页面）传递给客户端？

TIA！

解决方案

1. p>使用服务器端技术通过将JS App启动脚本放入JSP / GSP来预处理授权。这样做是强制服务器端组件首先启动，然后将HTML / JS / CSS呈现给客户端。对于完整的RIA应用程序，请使用index.gsp（或jsp），并且您的URL保持domain / contextroot。




2. 您可以通过ajax询问对内容的访问权限请求到服务器，或者您可以通过再次JSP技术设置JS变量，在返回客户端响应的其余部分之前首先处理。

< g：javascript>

  // global env var definition 
 var env =$ {System.getProperty（Environment。键）}; 
 
< /克：JavaScript的> 
  

这两个都不是100％的安全，因为客户端代码可以被改变当数据提交处理时，真正的安全执行必须在服务器端处理。

'3。简单的方法是根据上面的2.隐藏/显示视图等。还有一些实验，通过懒惰（手动）初始化控制器模块化客户端MVC应用程序，可能需要或可能不需要。

希望这有帮助。 p>

DB :)

I'm looking for information on how to implement secure pages using ExtJS 4. By secure pages I mean the user will log into our website using Siteminder (SSO) and so we will have the user's identity. Then we would determine what roles the user would have by making a database/LDAP call and only render those views/components that the user has access to.

Several questions come to mind:

1.) Of course I would expect we would do the authorization check prior to rendering the pages on the server-side, so how do you do this prior to firing Ext.onReady()? I need to have the ExtJS wait for the response from the server?

2.) What is the best way to organize a page's components where the case may be someone could see a particular component and another person cannot?

3.) How do I deliver the resulting page (i.e., the pieces the user has access to) to the client?

TIA!

解决方案

1. Use a server side technology to pre-process authorization by putting your JS App launch script into a JSP/GSP. What this does is forces server side components to kick off first and then render the HTML/JS/CSS to the client. For full RIA app use index.gsp(or jsp) and the your URL stays "domain/contextroot" .

2. You can interrogate access privs to content via ajax request to server or alternatively you could set JS variables via again JSP technology that is processed first before the rest of the client response is returned.

< g:javascript>

  //global env var definition 
   var env = "${System.getProperty(Environment.KEY)}";

< /g:javascript>

Both of these are not 100% safe as client side code can be altered. The real security enforcement must be handled on server side when data is submitted for processing.

'3. Easy way would be to hide/show views etc based on 2. above. There are also some experimentation out there with modularizing the client side MVC application by lazy(manually) initializing controllers that may or may not be needed.

Hope this helps.

DB :)

这篇关于ExtJS和页面授权（服务器端）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！