I decided against the dispatcher approach for the reasons ville.virtanen brought up. The dispatcher will have to know what pages are secured and which aren't.
I am using Acegi with Tapestry. I know not everyone uses Acegi, but my approach (just to share) is to have Acegi handles authorization and authentication. Very simple and very clean and you can easily modify how it authenticate (e.g. via database, LDAP, or whatever). Having said that, I like to have a preventive measure to prevent secured pages falling through the cracks - so I have two Page classes all pages inherit from (SecuredBasePage and BasePage). The SecuredBasePage checks if the user is logged in. If not, it redirects to the LoginPage. Also, I need a way for all pages to access the user information from the session after they logged in since Acegi doesn't handle that. This is where it happens. I think it would be a great help to others if there are more detailed samples on the wiki on how to implement security in Tapestry 5 - giving readers different ways to implement. Otherwise, everyone just reinvent the wheel and asks the same questions over and over again. Ben -----Original Message----- From: Peter Stavrinides [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2008 9:30 AM To: Tapestry users Subject: Re: Trying to Implement RedirectException in Tapestry 5 I love the dispatcher approach for this, I like it simply because it removes security concerns from pages and is lightweight and customizable. ----- Original Message ----- From: "9902468" <[EMAIL PROTECTED]> To: users@tapestry.apache.org Sent: Wednesday, 20 August, 2008 4:30:05 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: Trying to Implement RedirectException in Tapestry 5 On a side note, it's a bad thing to hard code allowed roles to page, we use a service that is queried if this role is allowed to access this page (Or execute this action.). That way we can have role - rights matrix that can be administrated by the super user of the system. (Info can be on a file or db + we can make the customer to fill out the matrix initially..) - 99 Thiago H. de Paula Figueiredo wrote: > > Em Wed, 20 Aug 2008 09:38:36 -0300, 9902468 <[EMAIL PROTECTED]> > escreveu: > >> One possibility yes, but that approach requires to keep a list of secured >> pages to allow un-authorized users access non-secure pages. >> >> (Pages could of course be annotated to be secure or use marker >> interface.) > > That's what tapestry5-acegi (and its sister project > tapestry5-spring-security) does: > > @Secured({"ROLE_1", {ROLE_2}) > public class YourPage { > ... > } > > There's a little difference: instead of using a RequestHandler or a > Dispatcher, they transform the page classes at runtime. ;) > >> And your approach occurs earlier in the request cycle... Thanks for the >> pointer! >> (Always nice to do things right and to learn :)) > > :) > > Thiago > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Trying-to-Implement-RedirectException-in-Tapestry-5-tp 19060597p19069467.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
