Hi Lenny
Thanks for your answer. I guess my description was somehow incomplete...
OnActivate from the "unauthorized" page is not called, that's surprising to me.
The user has permission to view the page in general but misses certain
functionality permissions triggered by event callback methods. My initial
failure was to show such event links at all, but that's a different story...
Nevertheless its still possible to enter such a link URL directly in the
browser, but luckily in this case everything works as expected (redirect to
"unauthorized" page and onActivate from the unauthorized page gets called)
As the only difference is "zone/ajax" related, I guess shiro does not handle
XHR requests correctly when rendering/redirecting, but this just an assumption.
I have to dig deeper in the shiro source
Jens
Von meinem iPhone gesendet
> Am 27.10.2013 um 14:44 schrieb Lenny Primak <lpri...@hope.nyc.ny.us>:
>
> I don't think Tapestry-Security works for Ajax requests.
> I think it's geared more of blocking access to pages for initial load.
> How can you have AJAX requests for a page that's not authorized?
> Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles
> JavaScript.
>
> onActivate isn't getting called because Tapestry-Security / Shiro intercepts
> it (and denies it's permission)
> before onActivate ever gets called.
>
>> On Oct 27, 2013, at 8:55 AM, Jens Breitenstein wrote:
>>
>> Hi all!
>>
>> I have a strange problem and maybe one of you can give me a hint...
>>
>> Basically I have a table and each individual <tr> forms it's own zone and
>> can be replaced independently from each other by an eventlink (works
>> perfectly).
>> Next I added @RequiresPermissions("MyPermission:modify") on the
>> event-callback method to limit access. In case an user does not have the
>> required permissions Shiro correctly identfies it and throws an
>> OperationException("Subject does not have permission"), perfect too.
>> Unfortunately there is no redirect to the "Unauthorized" page but instead
>> the page is rendered in the "ajax dialog box" (which tapestry shows in case
>> of problems/errors).
>>
>> From the stacktrace I see
>> "SecurityExceptionHandlerAssistant.handleRequestException" is called to
>> retrieve the page name to show ("Unauthorized"). Unfortunately there is no
>> redirect to the page but instead "renderer.renderPageResponse(page)" is
>> called and surprisingly "onActivate" of my "Unauthorized" page is not called
>> at all.
>>
>> Any idea what happens and how to solve it?
>>
>>
>> Jens
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
