Re: Page Validation
Hello,
I tried implementing it exactly as you suggested but I still get to see the
first page. Once I refresh or try to go somewhere it sends me to the login
page.
The funny thing is, the PageRedirectException IS being thrown, its just not
going to the login page.
Any ideas?
--James
- Original Message -
From: Nikla Ratinen [EMAIL PROTECTED]
To: Tapestry users users@tapestry.apache.org
Sent: Friday, February 23, 2007 1:02 PM
Subject: Re: Page Validation
Hi,
As an alternate approach you may override the default page source with an
implementation
that checks security constraints just before giving out the page
instance - this basically has the
added benefit that secured page instances may not be obtained even through
(accidental) malicious code in non-secure pages or services.
-- Overridden engine
public class MyEngine extends BaseEngine
{
protected IPageSource createPageSource(RequestContext context)
{
return new ProtectedPageSource(this);
}
}
-- Overridden page source
public class ProtectedPageSource extends PageSource
{
public ProtectedPageSource(IEngine engine)
{
super(engine);
}
public IPage getPage(IRequestCycle cycle, String pageName, IMonitor
monitor)
{
IPage page = super.getPage(cycle, pageName, monitor);
if (page != null page instanceof ProtectedPage)
{
Visit visit = (Visit) cycle.getEngine().getVisit();
if (visit == null || visit.getUser() == null)
throw new PageRedirectException(Login); }
return page;
}
}
-- A protected page
public class ProtectedPage
extends BasePage
{
}
Something along those lines ;)
Cheers,
-- Nikla
Mark Stang wrote:
Hi,
This seems to work for us.
public class ValidatePage
extends BasePage
implements PageValidateListener
{
public void pageValidate(PageEvent event)
{
Mediator mediator = MgmtFactory.getMediator();
if (!mediator.isConsole())
{
IPage messagePage =
getRequestCycle().getPage(nonAdminConsole);
throw new PageRedirectException(messagePage);
}
else
{
// If there is no visit object or the user isn't auth'd ship
// them off to the login page
Visit visit = (Visit)getVisit();
if (visit == null || !visit.isUserAuthenticated())
{
Login login = (Login)getRequestCycle().getPage(login);
throw new PageRedirectException(login);
}
}
}
}
I tried a couple of different experiments. The first was to log in and
copy a link then close the browser. I wasn't able to get to the page via
the direct link. If I logout and try and access the page via a direct
link, I don't get access. If I log in and copy a link and then surf off
to another page, then I can come back via the direct link. All of this
is based on my use of a session and the visit object. So, reviewing you
code, I would think you need to have to check more than if the visit
exists. You need to store a flag saying they they have been
authenticated.
regards,
Mark
Mark J. Stang
Senior Engineer/Architect
office: +1 303.468.2900
mobile: +1 303.507.2833
Ping Identity
-Original Message-
From: James Sherwood [mailto:[EMAIL PROTECTED]
Sent: Fri 2/23/2007 6:34 AM
To: Tapestry users
Subject: Page Validation
Hello,
We use Tapestry 3.2
I have security (login) using PageValidateListener.
The secure page in the site is called ISOPage which extends BasePage.
I add the page validation using:
public ISOPage(){
super();
addPageValidateListener(new PageValidationListener());
}
The PageValidationListener class implements PageValidateListener and does
security like this:
if(visit.getUser() == null){
throw new PageRedirectException(UserLogin);
}
This all works fine it seems unless a direct is involved.
If I copy a directlink then try to access it without loggin in it shows
me the page the directlink java code is on.
The PageRedirectException does happen and if I refresh or try to go
anywhere it sends me to the login but it still shows that page first.
Any ideas?
Thanks,
James
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
__ NOD32 2077 (20070223) Information __
This message was checked by NOD32 antivirus system.
http://www.eset.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Page Validation
James,
You said, I tried implementing it exactly as you suggested, which method
there were two? It would help to post your code.
regards,
Mark
Mark J. Stang
Senior Engineer/Architect
office: +1 303.468.2900
mobile: +1 303.507.2833
Ping Identity
-Original Message-
From: James Sherwood [mailto:[EMAIL PROTECTED]
Sent: Mon 2/26/2007 12:21 PM
To: Tapestry users
Subject: Re: Page Validation
Hello,
I tried implementing it exactly as you suggested but I still get to see the
first page. Once I refresh or try to go somewhere it sends me to the login
page.
The funny thing is, the PageRedirectException IS being thrown, its just not
going to the login page.
Any ideas?
--James
- Original Message -
From: Nikla Ratinen [EMAIL PROTECTED]
To: Tapestry users users@tapestry.apache.org
Sent: Friday, February 23, 2007 1:02 PM
Subject: Re: Page Validation
Hi,
As an alternate approach you may override the default page source with an
implementation
that checks security constraints just before giving out the page
instance - this basically has the
added benefit that secured page instances may not be obtained even through
(accidental) malicious code in non-secure pages or services.
-- Overridden engine
public class MyEngine extends BaseEngine
{
protected IPageSource createPageSource(RequestContext context)
{
return new ProtectedPageSource(this);
}
}
-- Overridden page source
public class ProtectedPageSource extends PageSource
{
public ProtectedPageSource(IEngine engine)
{
super(engine);
}
public IPage getPage(IRequestCycle cycle, String pageName, IMonitor
monitor)
{
IPage page = super.getPage(cycle, pageName, monitor);
if (page != null page instanceof ProtectedPage)
{
Visit visit = (Visit) cycle.getEngine().getVisit();
if (visit == null || visit.getUser() == null)
throw new PageRedirectException(Login); }
return page;
}
}
-- A protected page
public class ProtectedPage
extends BasePage
{
}
Something along those lines ;)
Cheers,
-- Nikla
Mark Stang wrote:
Hi,
This seems to work for us.
public class ValidatePage
extends BasePage
implements PageValidateListener
{
public void pageValidate(PageEvent event)
{
Mediator mediator = MgmtFactory.getMediator();
if (!mediator.isConsole())
{
IPage messagePage =
getRequestCycle().getPage(nonAdminConsole);
throw new PageRedirectException(messagePage);
}
else
{
// If there is no visit object or the user isn't auth'd ship
// them off to the login page
Visit visit = (Visit)getVisit();
if (visit == null || !visit.isUserAuthenticated())
{
Login login = (Login)getRequestCycle().getPage(login);
throw new PageRedirectException(login);
}
}
}
}
I tried a couple of different experiments. The first was to log in and
copy a link then close the browser. I wasn't able to get to the page via
the direct link. If I logout and try and access the page via a direct
link, I don't get access. If I log in and copy a link and then surf off
to another page, then I can come back via the direct link. All of this
is based on my use of a session and the visit object. So, reviewing you
code, I would think you need to have to check more than if the visit
exists. You need to store a flag saying they they have been
authenticated.
regards,
Mark
Mark J. Stang
Senior Engineer/Architect
office: +1 303.468.2900
mobile: +1 303.507.2833
Ping Identity
-Original Message-
From: James Sherwood [mailto:[EMAIL PROTECTED]
Sent: Fri 2/23/2007 6:34 AM
To: Tapestry users
Subject: Page Validation
Hello,
We use Tapestry 3.2
I have security (login) using PageValidateListener.
The secure page in the site is called ISOPage which extends BasePage.
I add the page validation using:
public ISOPage(){
super();
addPageValidateListener(new PageValidationListener());
}
The PageValidationListener class implements PageValidateListener and does
security like this:
if(visit.getUser() == null){
throw new PageRedirectException(UserLogin);
}
This all works fine it seems unless a direct is involved.
If I copy a directlink then try to access it without loggin in it shows
me the page the directlink java code is on.
The PageRedirectException does happen and if I refresh or try to go
anywhere it sends me to the login but it still shows that page first.
Any ideas?
Thanks,
James
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL
Re: Page Validation
I think I have solved it.
Our way was fine, it was basically the page with the page validate way
except we added it in the page.
The problem I beleive is that our cycle.activate's are in try/catches and
its catching the error and not actually throwing the page redirect
exception.
Still testing atm, will keep advised.
--James
- Original Message -
From: Mark Stang [EMAIL PROTECTED]
To: Tapestry users users@tapestry.apache.org; Tapestry users
users@tapestry.apache.org
Sent: Monday, February 26, 2007 3:29 PM
Subject: RE: Page Validation
James,
You said, I tried implementing it exactly as you suggested, which method
there were two? It would help to post your code.
regards,
Mark
Mark J. Stang
Senior Engineer/Architect
office: +1 303.468.2900
mobile: +1 303.507.2833
Ping Identity
-Original Message-
From: James Sherwood [mailto:[EMAIL PROTECTED]
Sent: Mon 2/26/2007 12:21 PM
To: Tapestry users
Subject: Re: Page Validation
Hello,
I tried implementing it exactly as you suggested but I still get to see the
first page. Once I refresh or try to go somewhere it sends me to the login
page.
The funny thing is, the PageRedirectException IS being thrown, its just not
going to the login page.
Any ideas?
--James
- Original Message -
From: Nikla Ratinen [EMAIL PROTECTED]
To: Tapestry users users@tapestry.apache.org
Sent: Friday, February 23, 2007 1:02 PM
Subject: Re: Page Validation
Hi,
As an alternate approach you may override the default page source with an
implementation
that checks security constraints just before giving out the page
instance - this basically has the
added benefit that secured page instances may not be obtained even through
(accidental) malicious code in non-secure pages or services.
-- Overridden engine
public class MyEngine extends BaseEngine
{
protected IPageSource createPageSource(RequestContext context)
{
return new ProtectedPageSource(this);
}
}
-- Overridden page source
public class ProtectedPageSource extends PageSource
{
public ProtectedPageSource(IEngine engine)
{
super(engine);
}
public IPage getPage(IRequestCycle cycle, String pageName, IMonitor
monitor)
{
IPage page = super.getPage(cycle, pageName, monitor);
if (page != null page instanceof ProtectedPage)
{
Visit visit = (Visit) cycle.getEngine().getVisit();
if (visit == null || visit.getUser() == null)
throw new PageRedirectException(Login); }
return page;
}
}
-- A protected page
public class ProtectedPage
extends BasePage
{
}
Something along those lines ;)
Cheers,
-- Nikla
Mark Stang wrote:
Hi,
This seems to work for us.
public class ValidatePage
extends BasePage
implements PageValidateListener
{
public void pageValidate(PageEvent event)
{
Mediator mediator = MgmtFactory.getMediator();
if (!mediator.isConsole())
{
IPage messagePage =
getRequestCycle().getPage(nonAdminConsole);
throw new PageRedirectException(messagePage);
}
else
{
// If there is no visit object or the user isn't auth'd ship
// them off to the login page
Visit visit = (Visit)getVisit();
if (visit == null || !visit.isUserAuthenticated())
{
Login login = (Login)getRequestCycle().getPage(login);
throw new PageRedirectException(login);
}
}
}
}
I tried a couple of different experiments. The first was to log in and
copy a link then close the browser. I wasn't able to get to the page via
the direct link. If I logout and try and access the page via a direct
link, I don't get access. If I log in and copy a link and then surf off
to another page, then I can come back via the direct link. All of this
is based on my use of a session and the visit object. So, reviewing you
code, I would think you need to have to check more than if the visit
exists. You need to store a flag saying they they have been
authenticated.
regards,
Mark
Mark J. Stang
Senior Engineer/Architect
office: +1 303.468.2900
mobile: +1 303.507.2833
Ping Identity
-Original Message-
From: James Sherwood [mailto:[EMAIL PROTECTED]
Sent: Fri 2/23/2007 6:34 AM
To: Tapestry users
Subject: Page Validation
Hello,
We use Tapestry 3.2
I have security (login) using PageValidateListener.
The secure page in the site is called ISOPage which extends BasePage.
I add the page validation using:
public ISOPage(){
super();
addPageValidateListener(new PageValidationListener());
}
The PageValidationListener class implements PageValidateListener and does
security like this:
if(visit.getUser() == null){
throw new PageRedirectException(UserLogin);
}
This all works fine it seems unless a direct is involved.
If I copy a directlink then try to access it without loggin in it shows
me the page the directlink java code
RE: Page Validation
Hi,
This seems to work for us.
public class ValidatePage
extends BasePage
implements PageValidateListener
{
public void pageValidate(PageEvent event)
{
Mediator mediator = MgmtFactory.getMediator();
if (!mediator.isConsole())
{
IPage messagePage = getRequestCycle().getPage(nonAdminConsole);
throw new PageRedirectException(messagePage);
}
else
{
// If there is no visit object or the user isn't auth'd ship
// them off to the login page
Visit visit = (Visit)getVisit();
if (visit == null || !visit.isUserAuthenticated())
{
Login login = (Login)getRequestCycle().getPage(login);
throw new PageRedirectException(login);
}
}
}
}
I tried a couple of different experiments. The first was to log in and copy a
link then close the browser. I wasn't able to get to the page via the direct
link. If I logout and try and access the page via a direct link, I don't get
access. If I log in and copy a link and then surf off to another page, then I
can come back via the direct link. All of this is based on my use of a session
and the visit object. So, reviewing you code, I would think you need to have
to check more than if the visit exists. You need to store a flag saying they
they have been authenticated.
regards,
Mark
Mark J. Stang
Senior Engineer/Architect
office: +1 303.468.2900
mobile: +1 303.507.2833
Ping Identity
-Original Message-
From: James Sherwood [mailto:[EMAIL PROTECTED]
Sent: Fri 2/23/2007 6:34 AM
To: Tapestry users
Subject: Page Validation
Hello,
We use Tapestry 3.2
I have security (login) using PageValidateListener.
The secure page in the site is called ISOPage which extends BasePage.
I add the page validation using:
public ISOPage(){
super();
addPageValidateListener(new PageValidationListener());
}
The PageValidationListener class implements PageValidateListener and does
security like this:
if(visit.getUser() == null){
throw new PageRedirectException(UserLogin);
}
This all works fine it seems unless a direct is involved.
If I copy a directlink then try to access it without loggin in it shows me
the page the directlink java code is on.
The PageRedirectException does happen and if I refresh or try to go anywhere
it sends me to the login but it still shows that page first.
Any ideas?
Thanks,
James
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Page Validation
Hi,
As an alternate approach you may override the default page source with
an implementation
that checks security constraints just before giving out the page
instance - this basically has the
added benefit that secured page instances may not be obtained even through
(accidental) malicious code in non-secure pages or services.
-- Overridden engine
public class MyEngine extends BaseEngine
{
protected IPageSource createPageSource(RequestContext context)
{
return new ProtectedPageSource(this);
}
}
-- Overridden page source
public class ProtectedPageSource extends PageSource
{
public ProtectedPageSource(IEngine engine)
{
super(engine);
}
public IPage getPage(IRequestCycle cycle, String pageName, IMonitor
monitor)
{
IPage page = super.getPage(cycle, pageName, monitor);
if (page != null page instanceof ProtectedPage)
{
Visit visit = (Visit) cycle.getEngine().getVisit();
if (visit == null || visit.getUser() == null)
throw new PageRedirectException(Login);
}
return page;
}
}
-- A protected page
public class ProtectedPage
extends BasePage
{
}
Something along those lines ;)
Cheers,
-- Nikla
Mark Stang wrote:
Hi,
This seems to work for us.
public class ValidatePage
extends BasePage
implements PageValidateListener
{
public void pageValidate(PageEvent event)
{
Mediator mediator = MgmtFactory.getMediator();
if (!mediator.isConsole())
{
IPage messagePage = getRequestCycle().getPage(nonAdminConsole);
throw new PageRedirectException(messagePage);
}
else
{
// If there is no visit object or the user isn't auth'd ship
// them off to the login page
Visit visit = (Visit)getVisit();
if (visit == null || !visit.isUserAuthenticated())
{
Login login = (Login)getRequestCycle().getPage(login);
throw new PageRedirectException(login);
}
}
}
}
I tried a couple of different experiments. The first was to log in and copy a link then
close the browser. I wasn't able to get to the page via the direct link. If I
logout and try and access the page via a direct link, I don't get access. If
I log in and copy a link and then surf off to another page, then I can come back via the
direct link. All of this is based on my use of a session and the visit object. So,
reviewing you code, I would think you need to have to check more than if the visit
exists. You need to store a flag saying they they have been authenticated.
regards,
Mark
Mark J. Stang
Senior Engineer/Architect
office: +1 303.468.2900
mobile: +1 303.507.2833
Ping Identity
-Original Message-
From: James Sherwood [mailto:[EMAIL PROTECTED]
Sent: Fri 2/23/2007 6:34 AM
To: Tapestry users
Subject: Page Validation
Hello,
We use Tapestry 3.2
I have security (login) using PageValidateListener.
The secure page in the site is called ISOPage which extends BasePage.
I add the page validation using:
public ISOPage(){
super();
addPageValidateListener(new PageValidationListener());
}
The PageValidationListener class implements PageValidateListener and does
security like this:
if(visit.getUser() == null){
throw new PageRedirectException(UserLogin);
}
This all works fine it seems unless a direct is involved.
If I copy a directlink then try to access it without loggin in it shows me
the page the directlink java code is on.
The PageRedirectException does happen and if I refresh or try to go anywhere
it sends me to the login but it still shows that page first.
Any ideas?
Thanks,
James
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
