Hello,
the examples in the Wiki uses either a request filter or a request
dispatcher. Both solutions extract the page name in order to check if
there are any restrictions. This code orginally comes from the
PageRenderDispatcher.
String pageName;
String path = request.getPath();
int nextslashx = path.length();
while (true) {
pageName = path.substring(1, nextslashx);
if (!pageName.endsWith("/") &&
componentClassResolver.isPageName(pageName))
break;
nextslashx = path.lastIndexOf('/', nextslashx - 1);
if (nextslashx <= 1) {
pageName = null;
break;
}
}
return pageName;
The issue with this approach is that Component events are not validated.
If I submit a form, the complete form processing can happen without any
security validation.
the submit sends a URL like mypage.myform.form This kind of URL is not
resolved to a page and as a consequence no validaton takes place.
A correct implementation needs to implement the page name extraction as
done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as
in the decodePageRenderRequest method of the same class.
In addition a Dispatcher implementation needs to take care that it is
called before the ComponentDispatcher.
The following documentation is affected
http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher
http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2
http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess
I haven't checked the Acegi Integration howtos.
Can someone please validate this? I think we need to provide either a
service to decode page names or at least show how to do it properly.
--
Best Regards / Viele Grüße
Sebastian Hennebrueder
-----
Software Developer and Trainer for Hibernate / Java Persistence
http://www.laliluna.de
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
