Hi Have already read this article [1] from Howard, it explains how to secure an application via Annotations and shows the pipeline as well
[1] http://tapestryjava.blogspot.com/2009/12/securing-tapestry-pages-with.html 2010/7/30 Daniel Henze <dhe...@googlemail.com> > Hi everyone, > > I created a Service, contributeded it as Dispatcher to check on request of > secured pages (using tapestry-spring-security with @Secured annotation) > whether the user profile has all required fields filled out. In case, > information is missing, the user is forwarded to his profile page and > requested to update the required fields. > > So far so good, following the AccessController example from the Tapestry > HowTos I could build the service and add it to the Dispatcher Pipeline: > --- (important part from AccessController): > Component page = componentSource.getPage(pageName); > boolean privatePage = page.getClass().getAnnotation( Secured.class ) != > null; > > if (privatePage) > { > canAccess = false; > /* Is the user already authentified ? */ > if(asm.exists(User.class)) > { > User user = asm.get(User.class); > canAccess = user.getUserProfile().isComplete(); > System.out.println("user " + user.getUsername() + " has completed > his profile: " + canAccess); > } > } > --- > public static void > contributeMasterDispatcher(OrderedConfiguration<Dispatcher> configuration, > AccessController accessController){ > configuration.add("AccessWithCompleteProfileController", > accessController, "after:*"); > } > --- > > My problem is apparently with the sequence of the pipeline, as with the > above stated "after:*" the service never is actually executed (simple System > out calls to check), with "before:*" I get an redirect error from the server > ("indefinite loop") and without any declaration it again is not called at > all. > > I'd appreciate a little guidance on the correct way to solve that issue. I > see the following options: > 1. Get AccessController invoked as the last service in Dispatcher pipeline > (all other checks done before). I suspect SecurityChecker to break the line. > 2. Figure out whether User is logged in already and do not break the chain > in AccessController if User is not logged in. Next page request will do the > check. > 3. Implement my own Security Checker and include the AccessController into > that code. > > Regards > Daniel > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- Regards, Christophe Cordenier. Committer on Apache Tapestry 5 Co-creator of wooki @wookicentral.com
