Hi,
I'm using request filters for this right now. It's a pretty good
approach imo, and it's easy to get the security configuration from
wherever you want. My applications aren't that complex so I get by with
annotations on my page classes, but you could easily get this from
somewhere else, like a database.
I'm seriously looking at moving my authentication to an
annotation-driven ComponentClassTransformWorker. When I do that, I'll
try and post about it on the wiki.
-Filip
On 2008-08-20 17:14, Ben Wong wrote:
I decided against the dispatcher approach for the reasons ville.virtanen
brought up. The dispatcher will have to know what pages are secured and
which aren't.
I am using Acegi with Tapestry. I know not everyone uses Acegi, but my
approach (just to share) is to have Acegi handles authorization and
authentication. Very simple and very clean and you can easily modify how it
authenticate (e.g. via database, LDAP, or whatever).
Having said that, I like to have a preventive measure to prevent secured
pages falling through the cracks - so I have two Page classes all pages
inherit from (SecuredBasePage and BasePage). The SecuredBasePage checks if
the user is logged in. If not, it redirects to the LoginPage. Also, I need
a way for all pages to access the user information from the session after
they logged in since Acegi doesn't handle that. This is where it happens.
I think it would be a great help to others if there are more detailed
samples on the wiki on how to implement security in Tapestry 5 - giving
readers different ways to implement. Otherwise, everyone just reinvent the
wheel and asks the same questions over and over again.
Ben
-----Original Message-----
From: Peter Stavrinides [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2008 9:30 AM
To: Tapestry users
Subject: Re: Trying to Implement RedirectException in Tapestry 5
I love the dispatcher approach for this, I like it simply because it removes
security concerns from pages and is lightweight and customizable.
----- Original Message -----
From: "9902468" <[EMAIL PROTECTED]>
To: users@tapestry.apache.org
Sent: Wednesday, 20 August, 2008 4:30:05 PM GMT +02:00 Athens, Beirut,
Bucharest, Istanbul
Subject: Re: Trying to Implement RedirectException in Tapestry 5
On a side note, it's a bad thing to hard code allowed roles to page, we use
a
service that is queried if this role is allowed to access this page (Or
execute this action.). That way we can have role - rights matrix that can be
administrated by the super user of the system. (Info can be on a file or db
+ we can make the customer to fill out the matrix initially..)
- 99
Thiago H. de Paula Figueiredo wrote:
Em Wed, 20 Aug 2008 09:38:36 -0300, 9902468 <[EMAIL PROTECTED]>
escreveu:
One possibility yes, but that approach requires to keep a list of secured
pages to allow un-authorized users access non-secure pages.
(Pages could of course be annotated to be secure or use marker
interface.)
That's what tapestry5-acegi (and its sister project
tapestry5-spring-security) does:
@Secured({"ROLE_1", {ROLE_2})
public class YourPage {
...
}
There's a little difference: instead of using a RequestHandler or a
Dispatcher, they transform the page classes at runtime. ;)
And your approach occurs earlier in the request cycle... Thanks for the
pointer!
(Always nice to do things right and to learn :))
:)
Thiago
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
