On Oct 28, 2013, at 8:09 AM, Thiago H de Paula Figueiredo wrote: > On Sun, 27 Oct 2013 11:44:42 -0200, Lenny Primak <lpri...@hope.nyc.ny.us> > wrote: > >> I don't think Tapestry-Security works for Ajax requests. >> I think it's geared more of blocking access to pages for initial load. > > I wouldn't say that before checking the source first.
I say this because I had to work around this issue. Tapestry-Security will return a full page (Unauthorized) which would result in a pop-up exception. Let me elaborate. Let's say you go to a page, and it requires authentication. You authenticate, you are in. Great. Now the page is in the browser for long enough for session to expire. You are no longer authenticated. Now you click Ajax request. Tapestry-Security will redirect you to an Unauthorized page in this case. This isn't done correctly, i.e. via full page redirect. Tapestry 5.3 does not handle this case correctly, i.e. a pop-up exception instead of a redirect. I actually have a workaround for this in the FlowLogix library, via the @AJAX annotation. > >> How can you have AJAX requests for a page that's not authorized? >> Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles >> JavaScript. > > I'm not following you. Tapestry 5.4 handles JavaScript errors better, so this issue doesn't exist in T5.4 > >> onActivate isn't getting called because Tapestry-Security / Shiro intercepts >> it (and denies it's permission) >> before onActivate ever gets called. > > The statement above would make me think that Tapestry-Security does work for > AJAX requests too, as onActivate() is invoked for every request for the page, > render or action. The way Tapestry-Securitiy filter is set up is that it prevents any page calls if it's not authorized, Ajax or not. This is the correct behavior. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
