>>The thing I don't like about most of the current examples/solutions I've >> seen so far is that access is allowed by default if the developer forgets >> to >> add a specific annotation.
Exactly, the wiki examples are a good start but denied by default should be your default policy, for a secure extranet anyhow. If you are going to go the annotations route then use an @Unsecured annotation instead. Personally I don't bother with annotations, I use a request filter and attach the ApplicationStateManager and ComponentClassResolver as dependencies. One RequestFilter with access to the right Tapestry services is all you really need to do everything in one place and have peace of mind. Peter ----- Original Message ----- From: "Massimo Lusetti" <mluse...@gmail.com> To: "Tapestry users" <users@tapestry.apache.org> Sent: Thursday, 4 June, 2009 11:03:49 GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: Authentification in Tapestry On Thu, Jun 4, 2009 at 3:41 AM, Thiago H. de Paula Figueiredo <thiag...@gmail.com> wrote: > Em Wed, 03 Jun 2009 22:07:28 -0300, Onno Scheffers <o...@piraya.nl> > escreveu: > >> I'm also using a custom dispatcher. >> The thing I don't like about most of the current examples/solutions I've >> seen so far is that access is allowed by default if the developer forgets >> to >> add a specific annotation. I'd like the page to be protected unless the >> developers makes it publicly accessible. > > Nice reasoning. :) That's a policy. I could see this implemented as a different protection strategy. Cheers -- Massimo http://meridio.blogspot.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
