On Tuesday 19 May 2009 05:05:11 pm dusty wrote: > I think this is more difficult than most people think. There are a lot of > use cases and edge cases that make most home grown solutions pretty > fragile. I think GETs are pretty easy but it gets a little more exciting > when you are dealing with POSTs to a secure resource. People tend to get > pissed off if you lose their POST data and redirect them back to the form > to start over. > > Spring Security handles this pattern quite well. It is understandable that > you are reluctant because you are not using Spring service wiring, but you > can get robust Authentication and Authorization services with a little > configuration. The good news is your site will behave the way people > expect it to. > > There are other issues like what happens when an AJAX request is sent for a > secure resource after a session timeout, etc... >
To second what dusty is saying, POSTs are not the only resources that can't be easily persisted across a login request. Another situation to think of is AJAX requests. I had a situation where someone would leave a search screen open and periodically put in a parameter, then click search. Since the whole operation happened via async request, if the session had timed out, then the login form would be retrieved by the async request. It made for an ugly results table since it didn't parse well. So, handrolling a solution works for GET requests, but just about anything else will go haywire. Bringing in ACEGI (now called Spring Security) is quite easy and Spring is mostly non-intrusive, so if you aren't using it anywhere else, it is no harm. -Wes -- Wes Wannemacher Author - Struts 2 In Practice Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more http://www.manning.com/wannemacher --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
