Hi,
As an alternate approach you may override the default page source with
an implementation
that checks security constraints just before giving out the page
instance - this basically has the
added benefit that secured page instances may not be obtained even through
(accidental) malicious code in non-secure pages or services.
-- Overridden engine
public class MyEngine extends BaseEngine
{
protected IPageSource createPageSource(RequestContext context)
{
return new ProtectedPageSource(this);
}
}
-- Overridden page source
public class ProtectedPageSource extends PageSource
{
public ProtectedPageSource(IEngine engine)
{
super(engine);
}
public IPage getPage(IRequestCycle cycle, String pageName, IMonitor
monitor)
{
IPage page = super.getPage(cycle, pageName, monitor);
if (page != null && page instanceof ProtectedPage)
{
Visit visit = (Visit) cycle.getEngine().getVisit();
if (visit == null || visit.getUser() == null)
throw new PageRedirectException("Login");
}
return page;
}
}
-- A protected page
public class ProtectedPage
extends BasePage
{
}
Something along those lines ;)
Cheers,
-- Nikla
Mark Stang wrote:
Hi,
This seems to work for us.
public class ValidatePage
extends BasePage
implements PageValidateListener
{
public void pageValidate(PageEvent event)
{
Mediator mediator = MgmtFactory.getMediator();
if (!mediator.isConsole())
{
IPage messagePage = getRequestCycle().getPage("nonAdminConsole");
throw new PageRedirectException(messagePage);
}
else
{
// If there is no visit object or the user isn't auth'd ship
// them off to the login page
Visit visit = (Visit)getVisit();
if (visit == null || !visit.isUserAuthenticated())
{
Login login = (Login)getRequestCycle().getPage("login");
throw new PageRedirectException(login);
}
}
}
}
I tried a couple of different experiments. The first was to log in and copy a link then
close the browser. I wasn't able to get to the page via the direct link. If I
"logout" and try and access the page via a direct link, I don't get access. If
I log in and copy a link and then surf off to another page, then I can come back via the
direct link. All of this is based on my use of a session and the visit object. So,
reviewing you code, I would think you need to have to check more than if the visit
exists. You need to store a flag saying they they have been authenticated.
regards,
Mark
Mark J. Stang
Senior Engineer/Architect
office: +1 303.468.2900
mobile: +1 303.507.2833
Ping Identity
-----Original Message-----
From: James Sherwood [mailto:[EMAIL PROTECTED]
Sent: Fri 2/23/2007 6:34 AM
To: Tapestry users
Subject: Page Validation
Hello,
We use Tapestry 3.2
I have security (login) using PageValidateListener.
The secure page in the site is called ISOPage which extends BasePage.
I add the page validation using:
public ISOPage(){
super();
addPageValidateListener(new PageValidationListener());
}
The PageValidationListener class implements PageValidateListener and does
security like this:
if(visit.getUser() == null){
throw new PageRedirectException("UserLogin");
}
This all works fine it seems unless a direct is involved.
If I copy a directlink then try to access it without loggin in it shows me
the page the directlink java code is on.
The PageRedirectException does happen and if I refresh or try to go anywhere
it sends me to the login but it still shows that page first.
Any ideas?
Thanks,
James
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
