Hello,the examples in the Wiki uses either a request filter or a request dispatcher. Both solutions extract the page name in order to check if there are any restrictions. This code orginally comes from the PageRenderDispatcher.
String pageName;
String path = request.getPath();
int nextslashx = path.length();
while (true) {
pageName = path.substring(1, nextslashx);
if (!pageName.endsWith("/") &&
componentClassResolver.isPageName(pageName))
break;
nextslashx = path.lastIndexOf('/', nextslashx - 1);
if (nextslashx <= 1) {
pageName = null;
break;
}
}
return pageName;
The issue with this approach is that Component events are not validated.
If I submit a form, the complete form processing can happen without any
security validation.
the submit sends a URL like mypage.myform.form This kind of URL is not
resolved to a page and as a consequence no validaton takes place.
A correct implementation needs to implement the page name extraction as done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as in the decodePageRenderRequest method of the same class. In addition a Dispatcher implementation needs to take care that it is called before the ComponentDispatcher.
The following documentation is affected http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2 http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess I haven't checked the Acegi Integration howtos.Can someone please validate this? I think we need to provide either a service to decode page names or at least show how to do it properly.
-- Best Regards / Viele Grüße Sebastian Hennebrueder ----- http://www.laliluna.de Laliluna.de, Berliner Strasse 22, 61118 Bad Vilbel, Germany * Java Software Development, Support * Training for Hibernate, EJB3 and Spring * Tutorials for JSP, JavaServer Faces, Struts, Hibernate and EJB
smime.p7s
Description: S/MIME Cryptographic Signature
