Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Gunnar Eketrapp]

Thanks Kalle!

That solved my ajax securing problem.

/Gunnar

Den tisdagen den 17:e januari 2012 skrev Kalle Korhonen<
kalle.o.korho...@gmail.com>:
> On Thu, Aug 25, 2011 at 1:08 AM, Gunnar Eketrapp
>  wrote:
>> I still havn't managde to get ajax calls to redirect.
>> I changed to reload as a I saw in this mailing list.
>> In Chromes debugger I can see that the timed out ajax call returns ..
>> {"script":"window.location.reload();"}
>> ... but nothing happens on the client side.
>> So the question is still open do I have to do something to enable this ?
>
> Hey Gunnar, in case you never solved this on your own since the issue
> resurfaced on one of my projects to my surprise. The behavior is
> version dependent, you might need to send a content key with the
> response to get the scripts executed, but if all you need is a
> redirect, it's better to respond simply with:
> os.write(("{\"redirectURL\":\"" + link.toAbsoluteURI() +
"\"}").getBytes());
>
> And to Howard, as explained at
>
http://stackoverflow.com/questions/282429/returning-redirect-as-response-to-xhr-request
,
> it's not possible for the client application to handle a 302. The
> browser handles it directly and all the client sees is a response to
> the redirected request.
>
> Kalle
>
>
>> 2011/8/24 Magnus Kvalheim 
>>
>>> No sorry, that's not relevant for this. Eager to help, but I should
>>> have paid more attention to detail :)
>>>
>>> On Wed, Aug 24, 2011 at 8:33 AM, Magnus Kvalheim 
>>> wrote:
>>>
>>> > I sometimes use a proxy for doing redirects.
>>> >
>>> > *public class RedirectProxy {*
>>> > * @Persist private String redirectURL;*
>>> > * @Inject private ComponentResources _resources;*
>>> > * Object onActivate(){*
>>> > * try {*
>>> > * URL url = new URL(redirectURL);*
>>> > * return url;*
>>> > * } catch (Exception e) {*
>>> > * // TODO: handle exception*
>>> > * } finally{*
>>> > * _resources.discardPersistentFieldChanges(); *
>>> > * }*
>>> > * return Index.class;*
>>> > * }*
>>> > * public void setRedirectURL(String redirectURL) {*
>>> > * this.redirectURL = redirectURL;*
>>> > * }*
>>> > *
>>> > *
>>> > * public String getRedirectURL() {*
>>> > * return redirectURL;*
>>> > * }*
>>> > *}*
>>> >
>>> > Then from an eventhandler:
>>> > *redirectProxy.setRedirectURL(u);*
>>> > *return redirectProxy;*
>>> >
>>> > It could perhaps be useful for this case?
>>> >
>>> > --magnus
>>> >
>>> > On Tue, Aug 23, 2011 at 11:00 PM, Gunnar Eketrapp <
>>> > gunnar.eketr...@gmail.com> wrote:
>>> >
>>> >> Hum .. this did not work so I guess I have to do something on the
client
>>> >> side as well ...
>>> >>
>>> >>   if (request.isXHR()) {
>>> >>OutputStream os =
>>> >> response.getOutputStream("application/json;charset=UTF-8");
>>> >>os.write(("{\"script\":\"window.location.replace('" +
>>> >> link.toAbsoluteURI() + "');\"}").getBytes());
>>> >>os.close();
>>> >>} else {
>>> >>response.sendRedirect(link);
>>> >> }
>>> >>
>>> >>
>>> >> 2011/8/23 Kalle Korhonen 
>>> >>
>>> >> > On Mon, Aug 22, 2011 at 4:42 PM, Howard Lewis Ship <
hls...@gmail.com>
>>> >> > wrote:
>>> >> > > Actually, perhaps Tapestry's client-side support should, by
default,
>>> >> > > handle 302 correctly.
>>> >> >
>>> >> > Yes, perhaps so. But the correctness is "in the eye of the
beholder".
>>> >> > It's clear that a 302 response to a non-ajax request always causes
a
>>> >> > redirect, but not necessarily so for an ajax request. If the
default
>>> >> > behavior was easily overridable then yes, why not. Perhaps I should
>>> >> > just bring tapestry-exceptionpage functionality to the core.
>>> >> >
>>> >> > Kalle
>>> >> >
>>> >> >
>>> >> > > Currently, Tapestry's JSON response for partial page updates
>>> includes
>>> >> > > a special key for performing a redirect.
>>> >> > >
>>> >> > > On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
>>> >> > >  wrote:
>>> >> > >> On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
>>> >> > >> <

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Kalle Korhonen]

On Thu, Aug 25, 2011 at 1:08 AM, Gunnar Eketrapp
 wrote:
> I still havn't managde to get ajax calls to redirect.
> I changed to reload as a I saw in this mailing list.
> In Chromes debugger I can see that the timed out ajax call returns ..
> {"script":"window.location.reload();"}
> ... but nothing happens on the client side.
> So the question is still open do I have to do something to enable this ?

Hey Gunnar, in case you never solved this on your own since the issue
resurfaced on one of my projects to my surprise. The behavior is
version dependent, you might need to send a content key with the
response to get the scripts executed, but if all you need is a
redirect, it's better to respond simply with:
os.write(("{\"redirectURL\":\"" + link.toAbsoluteURI() + "\"}").getBytes());

And to Howard, as explained at
http://stackoverflow.com/questions/282429/returning-redirect-as-response-to-xhr-request,
it's not possible for the client application to handle a 302. The
browser handles it directly and all the client sees is a response to
the redirected request.

Kalle


> 2011/8/24 Magnus Kvalheim 
>
>> No sorry, that's not relevant for this. Eager to help, but I should
>> have paid more attention to detail :)
>>
>> On Wed, Aug 24, 2011 at 8:33 AM, Magnus Kvalheim 
>> wrote:
>>
>> > I sometimes use a proxy for doing redirects.
>> >
>> > *public class RedirectProxy {*
>> > * @Persist private String redirectURL;*
>> > * @Inject private ComponentResources _resources;*
>> > * Object onActivate(){*
>> > * try {*
>> > * URL url = new URL(redirectURL);*
>> > * return url;*
>> > * } catch (Exception e) {*
>> > * // TODO: handle exception*
>> > * } finally{*
>> > * _resources.discardPersistentFieldChanges(); *
>> > * }*
>> > * return Index.class;*
>> > * }*
>> > * public void setRedirectURL(String redirectURL) {*
>> > * this.redirectURL = redirectURL;*
>> > * }*
>> > *
>> > *
>> > * public String getRedirectURL() {*
>> > * return redirectURL;*
>> > * }*
>> > *}*
>> >
>> > Then from an eventhandler:
>> > *redirectProxy.setRedirectURL(u);*
>> > *return redirectProxy;*
>> >
>> > It could perhaps be useful for this case?
>> >
>> > --magnus
>> >
>> > On Tue, Aug 23, 2011 at 11:00 PM, Gunnar Eketrapp <
>> > gunnar.eketr...@gmail.com> wrote:
>> >
>> >> Hum .. this did not work so I guess I have to do something on the client
>> >> side as well ...
>> >>
>> >>           if (request.isXHR()) {
>> >>                OutputStream os =
>> >> response.getOutputStream("application/json;charset=UTF-8");
>> >>                os.write(("{\"script\":\"window.location.replace('" +
>> >> link.toAbsoluteURI() + "');\"}").getBytes());
>> >>                os.close();
>> >>            } else {
>> >>                response.sendRedirect(link);
>> >>             }
>> >>
>> >>
>> >> 2011/8/23 Kalle Korhonen 
>> >>
>> >> > On Mon, Aug 22, 2011 at 4:42 PM, Howard Lewis Ship 
>> >> > wrote:
>> >> > > Actually, perhaps Tapestry's client-side support should, by default,
>> >> > > handle 302 correctly.
>> >> >
>> >> > Yes, perhaps so. But the correctness is "in the eye of the beholder".
>> >> > It's clear that a 302 response to a non-ajax request always causes a
>> >> > redirect, but not necessarily so for an ajax request. If the default
>> >> > behavior was easily overridable then yes, why not. Perhaps I should
>> >> > just bring tapestry-exceptionpage functionality to the core.
>> >> >
>> >> > Kalle
>> >> >
>> >> >
>> >> > > Currently, Tapestry's JSON response for partial page updates
>> includes
>> >> > > a special key for performing a redirect.
>> >> > >
>> >> > > On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
>> >> > >  wrote:
>> >> > >> On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
>> >> > >>  wrote:
>> >> > >>> I just rewrote my very old ProtectedPageGateKeeper that
>> implemented
>> >> > >>> Dispatcher with a new one
>> >> > >>> inspired by Howard's blog
>> >> > >>> http://tapestryjava.blogspot.com/search/label/security
>> >> > >>> The new one implements ComponentRequestFilter and is better suited
>> >> for
>> >> > >>> protecting ajax enabled pages.
>> >> > >>> So I thought ...
>> >> > >>> Now to my problem:
>> >> > >>> The redirect that takes place after an ajax call seems to
>> disappear
>> >> > into
>> >> > >>> thin air. I.e. the page displaying
>> >> > >>> a rollling ajax loader is not redirected to my /noacess page. I
>> have
>> >> to
>> >> > hit
>> >> > >>> a full page refresh for the redirect to work.
>> >> > >>> Is there some trick needed in order to get the redirect to work
>> for
>> >> an
>> >> > ajax
>> >> > >>> call.
>> >> > >>> Sorry for asking stupid newbie questions ... of course I have
>> missed
>> >> > >>> something again!
>> >> > >>
>> >> > >> I don't think it's a stupid newbie question but obviously you
>> cannot
>> >> > >> just send 302 uri as a response to an ajax request. If you want a
>> >> full
>> >> > >> page refresh, you can handle it similarly how the
>> >> tynamo-exceptionpage
>> >> > >> module (http://tynamo.org/tape

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Taha Hafeez]

Hi

This may not be the best solution but here is what I have done and it
works for me ..

I am using a custom tapestry.js with this addition to the ajaxRequest call

if (Tapestry.windowUnloaded)
return;

/*
 * Prototype treats status == 0 as success, 
even though it seems
 * to mean the server didn't respond.
 */
if (!response.getStatus() || 
!response.request.success()) {

Tapestry.error(Tapestry.Messages.ajaxRequestUnsuccessful);
return;
}


***if(response.getHeader("Content-type").indexOf("text/html") == 0 &&

response.responseText.indexOf(" wrote:
> I still havn't managde to get ajax calls to redirect.
>
> I changed to reload as a I saw in this mailing list.
> In Chromes debugger I can see that the timed out ajax call returns ..
>
> {"script":"window.location.reload();"}
>
> ... but nothing happens on the client side.
>
> So the question is still open do I have to do something to enable this ?
>
> Thanks in advance!
>
> 2011/8/24 Magnus Kvalheim 
>
>> No sorry, that's not relevant for this. Eager to help, but I should
>> have paid more attention to detail :)
>>
>> On Wed, Aug 24, 2011 at 8:33 AM, Magnus Kvalheim 
>> wrote:
>>
>> > I sometimes use a proxy for doing redirects.
>> >
>> > *public class RedirectProxy {*
>> > * @Persist private String redirectURL;*
>> > * @Inject private ComponentResources _resources;*
>> > * Object onActivate(){*
>> > * try {*
>> > * URL url = new URL(redirectURL);*
>> > * return url;*
>> > * } catch (Exception e) {*
>> > * // TODO: handle exception*
>> > * } finally{*
>> > * _resources.discardPersistentFieldChanges(); *
>> > * }*
>> > * return Index.class;*
>> > * }*
>> > * public void setRedirectURL(String redirectURL) {*
>> > * this.redirectURL = redirectURL;*
>> > * }*
>> > *
>> > *
>> > * public String getRedirectURL() {*
>> > * return redirectURL;*
>> > * }*
>> > *}*
>> >
>> > Then from an eventhandler:
>> > *redirectProxy.setRedirectURL(u);*
>> > *return redirectProxy;*
>> >
>> > It could perhaps be useful for this case?
>> >
>> > --magnus
>> >
>> > On Tue, Aug 23, 2011 at 11:00 PM, Gunnar Eketrapp <
>> > gunnar.eketr...@gmail.com> wrote:
>> >
>> >> Hum .. this did not work so I guess I have to do something on the client
>> >> side as well ...
>> >>
>> >>           if (request.isXHR()) {
>> >>                OutputStream os =
>> >> response.getOutputStream("application/json;charset=UTF-8");
>> >>                os.write(("{\"script\":\"window.location.replace('" +
>> >> link.toAbsoluteURI() + "');\"}").getBytes());
>> >>                os.close();
>> >>            } else {
>> >>                response.sendRedirect(link);
>> >>             }
>> >>
>> >>
>> >> 2011/8/23 Kalle Korhonen 
>> >>
>> >> > On Mon, Aug 22, 2011 at 4:42 PM, Howard Lewis Ship 
>> >> > wrote:
>> >> > > Actually, perhaps Tapestry's client-side support should, by default,
>> >> > > handle 302 correctly.
>> >> >
>> >> > Yes, perhaps so. But the correctness is "in the eye of the beholder".
>> >> > It's clear that a 302 response to a non-ajax request always causes a
>> >> > redirect, but not necessarily so for an ajax request. If the default
>> >> > behavior was easily overridable then yes, why not. Perhaps I should
>> >> > just bring tapestry-exceptionpage functionality to the core.
>> >> >
>> >> > Kalle
>> >> >
>> >> >
>> >> > > Currently, Tapestry's JSON response for partial page updates
>> includes
>> >> > > a special key for performing a redirect.
>> >> > >
>> >> > > On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
>> >> > >  wrote:
>> >> > >> On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
>> >> > >>  wrote:
>> >> > >>> I just rewrote my very old ProtectedPageGateKeeper that
>> implemented
>> >> > >>> Dispatcher with a new one
>> >> > >>> inspired by Howard's blog
>> >> > >>> http://tapestryjava.blogspot.com/search/label/security
>> >> > >>> The new one implements ComponentRequestFilter and is better suited
>> >> for
>> >> > >>> protecting ajax enabled pages.
>> >> > >>> So I thought ...
>> >> > >>> Now to my problem:
>> >> > >>> The redirect that takes place after an ajax call seems to
>> disappear
>> >> > into
>> >> > >>> thin air. I.e. the page displaying
>> >> > >>> a rollling ajax loader is not redirected to my /noacess page. I
>> have
>> >> to
>> >> > hit
>> >> > >>> a full page refresh for the redirect to work.
>> >> > >>> Is there some trick needed in order to get the redirect to work
>> for
>> >> an
>> >> > ajax
>> >> > >>> call.
>> >> > >>> Sorry for asking stupid newbie questions ... of course I have
>> missed
>> >> > >>> something aga

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Gunnar Eketrapp]

I still havn't managde to get ajax calls to redirect.

I changed to reload as a I saw in this mailing list.
In Chromes debugger I can see that the timed out ajax call returns ..

{"script":"window.location.reload();"}

... but nothing happens on the client side.

So the question is still open do I have to do something to enable this ?

Thanks in advance!

2011/8/24 Magnus Kvalheim 

> No sorry, that's not relevant for this. Eager to help, but I should
> have paid more attention to detail :)
>
> On Wed, Aug 24, 2011 at 8:33 AM, Magnus Kvalheim 
> wrote:
>
> > I sometimes use a proxy for doing redirects.
> >
> > *public class RedirectProxy {*
> > * @Persist private String redirectURL;*
> > * @Inject private ComponentResources _resources;*
> > * Object onActivate(){*
> > * try {*
> > * URL url = new URL(redirectURL);*
> > * return url;*
> > * } catch (Exception e) {*
> > * // TODO: handle exception*
> > * } finally{*
> > * _resources.discardPersistentFieldChanges(); *
> > * }*
> > * return Index.class;*
> > * }*
> > * public void setRedirectURL(String redirectURL) {*
> > * this.redirectURL = redirectURL;*
> > * }*
> > *
> > *
> > * public String getRedirectURL() {*
> > * return redirectURL;*
> > * }*
> > *}*
> >
> > Then from an eventhandler:
> > *redirectProxy.setRedirectURL(u);*
> > *return redirectProxy;*
> >
> > It could perhaps be useful for this case?
> >
> > --magnus
> >
> > On Tue, Aug 23, 2011 at 11:00 PM, Gunnar Eketrapp <
> > gunnar.eketr...@gmail.com> wrote:
> >
> >> Hum .. this did not work so I guess I have to do something on the client
> >> side as well ...
> >>
> >>   if (request.isXHR()) {
> >>OutputStream os =
> >> response.getOutputStream("application/json;charset=UTF-8");
> >>os.write(("{\"script\":\"window.location.replace('" +
> >> link.toAbsoluteURI() + "');\"}").getBytes());
> >>os.close();
> >>} else {
> >>response.sendRedirect(link);
> >> }
> >>
> >>
> >> 2011/8/23 Kalle Korhonen 
> >>
> >> > On Mon, Aug 22, 2011 at 4:42 PM, Howard Lewis Ship 
> >> > wrote:
> >> > > Actually, perhaps Tapestry's client-side support should, by default,
> >> > > handle 302 correctly.
> >> >
> >> > Yes, perhaps so. But the correctness is "in the eye of the beholder".
> >> > It's clear that a 302 response to a non-ajax request always causes a
> >> > redirect, but not necessarily so for an ajax request. If the default
> >> > behavior was easily overridable then yes, why not. Perhaps I should
> >> > just bring tapestry-exceptionpage functionality to the core.
> >> >
> >> > Kalle
> >> >
> >> >
> >> > > Currently, Tapestry's JSON response for partial page updates
> includes
> >> > > a special key for performing a redirect.
> >> > >
> >> > > On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
> >> > >  wrote:
> >> > >> On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
> >> > >>  wrote:
> >> > >>> I just rewrote my very old ProtectedPageGateKeeper that
> implemented
> >> > >>> Dispatcher with a new one
> >> > >>> inspired by Howard's blog
> >> > >>> http://tapestryjava.blogspot.com/search/label/security
> >> > >>> The new one implements ComponentRequestFilter and is better suited
> >> for
> >> > >>> protecting ajax enabled pages.
> >> > >>> So I thought ...
> >> > >>> Now to my problem:
> >> > >>> The redirect that takes place after an ajax call seems to
> disappear
> >> > into
> >> > >>> thin air. I.e. the page displaying
> >> > >>> a rollling ajax loader is not redirected to my /noacess page. I
> have
> >> to
> >> > hit
> >> > >>> a full page refresh for the redirect to work.
> >> > >>> Is there some trick needed in order to get the redirect to work
> for
> >> an
> >> > ajax
> >> > >>> call.
> >> > >>> Sorry for asking stupid newbie questions ... of course I have
> missed
> >> > >>> something again!
> >> > >>
> >> > >> I don't think it's a stupid newbie question but obviously you
> cannot
> >> > >> just send 302 uri as a response to an ajax request. If you want a
> >> full
> >> > >> page refresh, you can handle it similarly how the
> >> tynamo-exceptionpage
> >> > >> module (http://tynamo.org/tapestry-exceptionpage+guide) handles
> >> > >> exceptions in ajax responses
> >> > >> (
> >> >
> >>
> http://svn.codehaus.org/tynamo/trunk/tapestry-exceptionpage/src/main/java/org/tynamo/exceptionpage/services/ConfigurableRequestExceptionHandler.java
> >> > ).
> >> > >> Or, take a look at T5.3's new ajax error handler, rendering an
> iframe
> >> > >> on the fly in response to an ajax error.
> >> > >>
> >> > >> Kalle
> >> > >>
> >> > >>
> >> > >>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
> >> > u.s.UtskicketModule.RequestLogger
> >> > >>> - Request: /group/members.grid.pager/1/grid (Method=POST,
> >> > >>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101
> >> > Firefox/5.0,
> >> > >>> isXHR=true)
> >> > >>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
> >> > >>> u.services.ProtectedPageGateKeeper2 - Page path:
> >> > >>>

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Magnus Kvalheim]

No sorry, that's not relevant for this. Eager to help, but I should
have paid more attention to detail :)

On Wed, Aug 24, 2011 at 8:33 AM, Magnus Kvalheim  wrote:

> I sometimes use a proxy for doing redirects.
>
> *public class RedirectProxy {*
> * @Persist private String redirectURL;*
> * @Inject private ComponentResources _resources;*
> * Object onActivate(){*
> * try {*
> * URL url = new URL(redirectURL);*
> * return url;*
> * } catch (Exception e) {*
> * // TODO: handle exception*
> * } finally{*
> * _resources.discardPersistentFieldChanges(); *
> * }*
> * return Index.class;*
> * }*
> * public void setRedirectURL(String redirectURL) {*
> * this.redirectURL = redirectURL;*
> * }*
> *
> *
> * public String getRedirectURL() {*
> * return redirectURL;*
> * }*
> *}*
>
> Then from an eventhandler:
> *redirectProxy.setRedirectURL(u);*
> *return redirectProxy;*
>
> It could perhaps be useful for this case?
>
> --magnus
>
> On Tue, Aug 23, 2011 at 11:00 PM, Gunnar Eketrapp <
> gunnar.eketr...@gmail.com> wrote:
>
>> Hum .. this did not work so I guess I have to do something on the client
>> side as well ...
>>
>>   if (request.isXHR()) {
>>OutputStream os =
>> response.getOutputStream("application/json;charset=UTF-8");
>>os.write(("{\"script\":\"window.location.replace('" +
>> link.toAbsoluteURI() + "');\"}").getBytes());
>>os.close();
>>} else {
>>response.sendRedirect(link);
>> }
>>
>>
>> 2011/8/23 Kalle Korhonen 
>>
>> > On Mon, Aug 22, 2011 at 4:42 PM, Howard Lewis Ship 
>> > wrote:
>> > > Actually, perhaps Tapestry's client-side support should, by default,
>> > > handle 302 correctly.
>> >
>> > Yes, perhaps so. But the correctness is "in the eye of the beholder".
>> > It's clear that a 302 response to a non-ajax request always causes a
>> > redirect, but not necessarily so for an ajax request. If the default
>> > behavior was easily overridable then yes, why not. Perhaps I should
>> > just bring tapestry-exceptionpage functionality to the core.
>> >
>> > Kalle
>> >
>> >
>> > > Currently, Tapestry's JSON response for partial page updates includes
>> > > a special key for performing a redirect.
>> > >
>> > > On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
>> > >  wrote:
>> > >> On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
>> > >>  wrote:
>> > >>> I just rewrote my very old ProtectedPageGateKeeper that implemented
>> > >>> Dispatcher with a new one
>> > >>> inspired by Howard's blog
>> > >>> http://tapestryjava.blogspot.com/search/label/security
>> > >>> The new one implements ComponentRequestFilter and is better suited
>> for
>> > >>> protecting ajax enabled pages.
>> > >>> So I thought ...
>> > >>> Now to my problem:
>> > >>> The redirect that takes place after an ajax call seems to disappear
>> > into
>> > >>> thin air. I.e. the page displaying
>> > >>> a rollling ajax loader is not redirected to my /noacess page. I have
>> to
>> > hit
>> > >>> a full page refresh for the redirect to work.
>> > >>> Is there some trick needed in order to get the redirect to work for
>> an
>> > ajax
>> > >>> call.
>> > >>> Sorry for asking stupid newbie questions ... of course I have missed
>> > >>> something again!
>> > >>
>> > >> I don't think it's a stupid newbie question but obviously you cannot
>> > >> just send 302 uri as a response to an ajax request. If you want a
>> full
>> > >> page refresh, you can handle it similarly how the
>> tynamo-exceptionpage
>> > >> module (http://tynamo.org/tapestry-exceptionpage+guide) handles
>> > >> exceptions in ajax responses
>> > >> (
>> >
>> http://svn.codehaus.org/tynamo/trunk/tapestry-exceptionpage/src/main/java/org/tynamo/exceptionpage/services/ConfigurableRequestExceptionHandler.java
>> > ).
>> > >> Or, take a look at T5.3's new ajax error handler, rendering an iframe
>> > >> on the fly in response to an ajax error.
>> > >>
>> > >> Kalle
>> > >>
>> > >>
>> > >>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
>> > u.s.UtskicketModule.RequestLogger
>> > >>> - Request: /group/members.grid.pager/1/grid (Method=POST,
>> > >>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101
>> > Firefox/5.0,
>> > >>> isXHR=true)
>> > >>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
>> > >>> u.services.ProtectedPageGateKeeper2 - Page path:
>> > >>> /group/members.grid.pager/1/grid
>> > >>>
>> > >>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
>> > u.s.UtskicketModule.RequestLogger
>> > >>> - Request: /group/members.grid.pager/7/grid (Method=POST,
>> > >>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101
>> > Firefox/5.0,
>> > >>> isXHR=true)
>> > >>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
>> > >>> u.services.ProtectedPageGateKeeper2 - Page path:
>> > >>> /group/members.grid.pager/7/grid
>> > >>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
>> > u.s.UtskicketModule.RequestLogger
>> > >>> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT
>> 6.1;
>> > >>> rv:5.0) Gecko/20

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Magnus Kvalheim]

I sometimes use a proxy for doing redirects.

*public class RedirectProxy {*
* @Persist private String redirectURL;*
* @Inject private ComponentResources _resources;*
* Object onActivate(){*
* try {*
* URL url = new URL(redirectURL);*
* return url;*
* } catch (Exception e) {*
* // TODO: handle exception*
* } finally{*
* _resources.discardPersistentFieldChanges(); *
* }*
* return Index.class;*
* }*
* public void setRedirectURL(String redirectURL) {*
* this.redirectURL = redirectURL;*
* }*
*
*
* public String getRedirectURL() {*
* return redirectURL;*
* }*
*}*

Then from an eventhandler:
*redirectProxy.setRedirectURL(u);*
*return redirectProxy;*

It could perhaps be useful for this case?

--magnus

On Tue, Aug 23, 2011 at 11:00 PM, Gunnar Eketrapp  wrote:

> Hum .. this did not work so I guess I have to do something on the client
> side as well ...
>
>   if (request.isXHR()) {
>OutputStream os =
> response.getOutputStream("application/json;charset=UTF-8");
>os.write(("{\"script\":\"window.location.replace('" +
> link.toAbsoluteURI() + "');\"}").getBytes());
>os.close();
>} else {
>response.sendRedirect(link);
> }
>
>
> 2011/8/23 Kalle Korhonen 
>
> > On Mon, Aug 22, 2011 at 4:42 PM, Howard Lewis Ship 
> > wrote:
> > > Actually, perhaps Tapestry's client-side support should, by default,
> > > handle 302 correctly.
> >
> > Yes, perhaps so. But the correctness is "in the eye of the beholder".
> > It's clear that a 302 response to a non-ajax request always causes a
> > redirect, but not necessarily so for an ajax request. If the default
> > behavior was easily overridable then yes, why not. Perhaps I should
> > just bring tapestry-exceptionpage functionality to the core.
> >
> > Kalle
> >
> >
> > > Currently, Tapestry's JSON response for partial page updates includes
> > > a special key for performing a redirect.
> > >
> > > On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
> > >  wrote:
> > >> On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
> > >>  wrote:
> > >>> I just rewrote my very old ProtectedPageGateKeeper that implemented
> > >>> Dispatcher with a new one
> > >>> inspired by Howard's blog
> > >>> http://tapestryjava.blogspot.com/search/label/security
> > >>> The new one implements ComponentRequestFilter and is better suited
> for
> > >>> protecting ajax enabled pages.
> > >>> So I thought ...
> > >>> Now to my problem:
> > >>> The redirect that takes place after an ajax call seems to disappear
> > into
> > >>> thin air. I.e. the page displaying
> > >>> a rollling ajax loader is not redirected to my /noacess page. I have
> to
> > hit
> > >>> a full page refresh for the redirect to work.
> > >>> Is there some trick needed in order to get the redirect to work for
> an
> > ajax
> > >>> call.
> > >>> Sorry for asking stupid newbie questions ... of course I have missed
> > >>> something again!
> > >>
> > >> I don't think it's a stupid newbie question but obviously you cannot
> > >> just send 302 uri as a response to an ajax request. If you want a full
> > >> page refresh, you can handle it similarly how the tynamo-exceptionpage
> > >> module (http://tynamo.org/tapestry-exceptionpage+guide) handles
> > >> exceptions in ajax responses
> > >> (
> >
> http://svn.codehaus.org/tynamo/trunk/tapestry-exceptionpage/src/main/java/org/tynamo/exceptionpage/services/ConfigurableRequestExceptionHandler.java
> > ).
> > >> Or, take a look at T5.3's new ajax error handler, rendering an iframe
> > >> on the fly in response to an ajax error.
> > >>
> > >> Kalle
> > >>
> > >>
> > >>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
> > u.s.UtskicketModule.RequestLogger
> > >>> - Request: /group/members.grid.pager/1/grid (Method=POST,
> > >>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101
> > Firefox/5.0,
> > >>> isXHR=true)
> > >>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
> > >>> u.services.ProtectedPageGateKeeper2 - Page path:
> > >>> /group/members.grid.pager/1/grid
> > >>>
> > >>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> > u.s.UtskicketModule.RequestLogger
> > >>> - Request: /group/members.grid.pager/7/grid (Method=POST,
> > >>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101
> > Firefox/5.0,
> > >>> isXHR=true)
> > >>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> > >>> u.services.ProtectedPageGateKeeper2 - Page path:
> > >>> /group/members.grid.pager/7/grid
> > >>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> > u.s.UtskicketModule.RequestLogger
> > >>> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT
> 6.1;
> > >>> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
> > >>>
> > >>> Note: The return from the request above does not show up in the
> browser
> > ...
> > >>>
> > >>> 2011-08-22 22:01:56.956 [btpool0-10] DEBUG
> > u.s.UtskicketModule.RequestLogger
> > >>> - Request: /group/members/3 (Method=GET, browser=Mozilla/5.0 (Windows
> > NT
> > >>> 6.1; rv:5.0) Gecko/20100101 Firefox/5.0, isXH

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Gunnar Eketrapp]

Hum .. this did not work so I guess I have to do something on the client
side as well ...

   if (request.isXHR()) {
OutputStream os =
response.getOutputStream("application/json;charset=UTF-8");
os.write(("{\"script\":\"window.location.replace('" +
link.toAbsoluteURI() + "');\"}").getBytes());
os.close();
} else {
response.sendRedirect(link);
}


2011/8/23 Kalle Korhonen 

> On Mon, Aug 22, 2011 at 4:42 PM, Howard Lewis Ship 
> wrote:
> > Actually, perhaps Tapestry's client-side support should, by default,
> > handle 302 correctly.
>
> Yes, perhaps so. But the correctness is "in the eye of the beholder".
> It's clear that a 302 response to a non-ajax request always causes a
> redirect, but not necessarily so for an ajax request. If the default
> behavior was easily overridable then yes, why not. Perhaps I should
> just bring tapestry-exceptionpage functionality to the core.
>
> Kalle
>
>
> > Currently, Tapestry's JSON response for partial page updates includes
> > a special key for performing a redirect.
> >
> > On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
> >  wrote:
> >> On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
> >>  wrote:
> >>> I just rewrote my very old ProtectedPageGateKeeper that implemented
> >>> Dispatcher with a new one
> >>> inspired by Howard's blog
> >>> http://tapestryjava.blogspot.com/search/label/security
> >>> The new one implements ComponentRequestFilter and is better suited for
> >>> protecting ajax enabled pages.
> >>> So I thought ...
> >>> Now to my problem:
> >>> The redirect that takes place after an ajax call seems to disappear
> into
> >>> thin air. I.e. the page displaying
> >>> a rollling ajax loader is not redirected to my /noacess page. I have to
> hit
> >>> a full page refresh for the redirect to work.
> >>> Is there some trick needed in order to get the redirect to work for an
> ajax
> >>> call.
> >>> Sorry for asking stupid newbie questions ... of course I have missed
> >>> something again!
> >>
> >> I don't think it's a stupid newbie question but obviously you cannot
> >> just send 302 uri as a response to an ajax request. If you want a full
> >> page refresh, you can handle it similarly how the tynamo-exceptionpage
> >> module (http://tynamo.org/tapestry-exceptionpage+guide) handles
> >> exceptions in ajax responses
> >> (
> http://svn.codehaus.org/tynamo/trunk/tapestry-exceptionpage/src/main/java/org/tynamo/exceptionpage/services/ConfigurableRequestExceptionHandler.java
> ).
> >> Or, take a look at T5.3's new ajax error handler, rendering an iframe
> >> on the fly in response to an ajax error.
> >>
> >> Kalle
> >>
> >>
> >>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
> u.s.UtskicketModule.RequestLogger
> >>> - Request: /group/members.grid.pager/1/grid (Method=POST,
> >>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101
> Firefox/5.0,
> >>> isXHR=true)
> >>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
> >>> u.services.ProtectedPageGateKeeper2 - Page path:
> >>> /group/members.grid.pager/1/grid
> >>>
> >>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> u.s.UtskicketModule.RequestLogger
> >>> - Request: /group/members.grid.pager/7/grid (Method=POST,
> >>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101
> Firefox/5.0,
> >>> isXHR=true)
> >>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> >>> u.services.ProtectedPageGateKeeper2 - Page path:
> >>> /group/members.grid.pager/7/grid
> >>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> u.s.UtskicketModule.RequestLogger
> >>> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
> >>> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
> >>>
> >>> Note: The return from the request above does not show up in the browser
> ...
> >>>
> >>> 2011-08-22 22:01:56.956 [btpool0-10] DEBUG
> u.s.UtskicketModule.RequestLogger
> >>> - Request: /group/members/3 (Method=GET, browser=Mozilla/5.0 (Windows
> NT
> >>> 6.1; rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
> >>> 2011-08-22 22:01:56.960 [btpool0-10] DEBUG
> >>> u.services.ProtectedPageGateKeeper2 - Page path: /group/members/3
> >>> 2011-08-22 22:01:56.964 [btpool0-10] DEBUG
> u.s.UtskicketModule.RequestLogger
> >>> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
> >>> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
> >>>
> >>> Note: Now we get to the /noaccess page
> >>>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> >> For additional commands, e-mail: users-h...@tapestry.apache.org
> >>
> >>
> >
> >
> >
> > --
> > Howard M. Lewis Ship
> >
> > Creator of Apache Tapestry
> >
> > The source for Tapestry training, mentoring and support. Contact me to
> > learn how I can get you up and productive in Tapestry fast!
> >
> > (971) 678-5210
> > http://howardlewisship.com
> >
> > ---

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Kalle Korhonen]

On Mon, Aug 22, 2011 at 4:42 PM, Howard Lewis Ship  wrote:
> Actually, perhaps Tapestry's client-side support should, by default,
> handle 302 correctly.

Yes, perhaps so. But the correctness is "in the eye of the beholder".
It's clear that a 302 response to a non-ajax request always causes a
redirect, but not necessarily so for an ajax request. If the default
behavior was easily overridable then yes, why not. Perhaps I should
just bring tapestry-exceptionpage functionality to the core.

Kalle


> Currently, Tapestry's JSON response for partial page updates includes
> a special key for performing a redirect.
>
> On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
>  wrote:
>> On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
>>  wrote:
>>> I just rewrote my very old ProtectedPageGateKeeper that implemented
>>> Dispatcher with a new one
>>> inspired by Howard's blog
>>> http://tapestryjava.blogspot.com/search/label/security
>>> The new one implements ComponentRequestFilter and is better suited for
>>> protecting ajax enabled pages.
>>> So I thought ...
>>> Now to my problem:
>>> The redirect that takes place after an ajax call seems to disappear into
>>> thin air. I.e. the page displaying
>>> a rollling ajax loader is not redirected to my /noacess page. I have to hit
>>> a full page refresh for the redirect to work.
>>> Is there some trick needed in order to get the redirect to work for an ajax
>>> call.
>>> Sorry for asking stupid newbie questions ... of course I have missed
>>> something again!
>>
>> I don't think it's a stupid newbie question but obviously you cannot
>> just send 302 uri as a response to an ajax request. If you want a full
>> page refresh, you can handle it similarly how the tynamo-exceptionpage
>> module (http://tynamo.org/tapestry-exceptionpage+guide) handles
>> exceptions in ajax responses
>> (http://svn.codehaus.org/tynamo/trunk/tapestry-exceptionpage/src/main/java/org/tynamo/exceptionpage/services/ConfigurableRequestExceptionHandler.java).
>> Or, take a look at T5.3's new ajax error handler, rendering an iframe
>> on the fly in response to an ajax error.
>>
>> Kalle
>>
>>
>>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG u.s.UtskicketModule.RequestLogger
>>> - Request: /group/members.grid.pager/1/grid (Method=POST,
>>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
>>> isXHR=true)
>>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
>>> u.services.ProtectedPageGateKeeper2 - Page path:
>>> /group/members.grid.pager/1/grid
>>>
>>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
>>> - Request: /group/members.grid.pager/7/grid (Method=POST,
>>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
>>> isXHR=true)
>>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
>>> u.services.ProtectedPageGateKeeper2 - Page path:
>>> /group/members.grid.pager/7/grid
>>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
>>> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
>>> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
>>>
>>> Note: The return from the request above does not show up in the browser ...
>>>
>>> 2011-08-22 22:01:56.956 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
>>> - Request: /group/members/3 (Method=GET, browser=Mozilla/5.0 (Windows NT
>>> 6.1; rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
>>> 2011-08-22 22:01:56.960 [btpool0-10] DEBUG
>>> u.services.ProtectedPageGateKeeper2 - Page path: /group/members/3
>>> 2011-08-22 22:01:56.964 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
>>> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
>>> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
>>>
>>> Note: Now we get to the /noaccess page
>>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>
>>
>
>
>
> --
> Howard M. Lewis Ship
>
> Creator of Apache Tapestry
>
> The source for Tapestry training, mentoring and support. Contact me to
> learn how I can get you up and productive in Tapestry fast!
>
> (971) 678-5210
> http://howardlewisship.com
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Gunnar Eketrapp]

Thanks a lot!

I think I found what I needed in
ConfigurableRequestExceptionHa
ndler.java
and
will try it out this evening ...

I also like this a lot ...
*Actually, perhaps Tapestry's client-side support should, by default,*
*handle 302 correctly.*

2011/8/23 Howard Lewis Ship 

> Actually, perhaps Tapestry's client-side support should, by default,
> handle 302 correctly.
>
> Currently, Tapestry's JSON response for partial page updates includes
> a special key for performing a redirect.
>
> On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
>  wrote:
> > On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
> >  wrote:
> >> I just rewrote my very old ProtectedPageGateKeeper that implemented
> >> Dispatcher with a new one
> >> inspired by Howard's blog
> >> http://tapestryjava.blogspot.com/search/label/security
> >> The new one implements ComponentRequestFilter and is better suited for
> >> protecting ajax enabled pages.
> >> So I thought ...
> >> Now to my problem:
> >> The redirect that takes place after an ajax call seems to disappear into
> >> thin air. I.e. the page displaying
> >> a rollling ajax loader is not redirected to my /noacess page. I have to
> hit
> >> a full page refresh for the redirect to work.
> >> Is there some trick needed in order to get the redirect to work for an
> ajax
> >> call.
> >> Sorry for asking stupid newbie questions ... of course I have missed
> >> something again!
> >
> > I don't think it's a stupid newbie question but obviously you cannot
> > just send 302 uri as a response to an ajax request. If you want a full
> > page refresh, you can handle it similarly how the tynamo-exceptionpage
> > module (http://tynamo.org/tapestry-exceptionpage+guide) handles
> > exceptions in ajax responses
> > (
> http://svn.codehaus.org/tynamo/trunk/tapestry-exceptionpage/src/main/java/org/tynamo/exceptionpage/services/ConfigurableRequestExceptionHandler.java
> ).
> > Or, take a look at T5.3's new ajax error handler, rendering an iframe
> > on the fly in response to an ajax error.
> >
> > Kalle
> >
> >
> >> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
> u.s.UtskicketModule.RequestLogger
> >> - Request: /group/members.grid.pager/1/grid (Method=POST,
> >> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
> >> isXHR=true)
> >> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
> >> u.services.ProtectedPageGateKeeper2 - Page path:
> >> /group/members.grid.pager/1/grid
> >>
> >> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> u.s.UtskicketModule.RequestLogger
> >> - Request: /group/members.grid.pager/7/grid (Method=POST,
> >> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
> >> isXHR=true)
> >> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> >> u.services.ProtectedPageGateKeeper2 - Page path:
> >> /group/members.grid.pager/7/grid
> >> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> u.s.UtskicketModule.RequestLogger
> >> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
> >> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
> >>
> >> Note: The return from the request above does not show up in the browser
> ...
> >>
> >> 2011-08-22 22:01:56.956 [btpool0-10] DEBUG
> u.s.UtskicketModule.RequestLogger
> >> - Request: /group/members/3 (Method=GET, browser=Mozilla/5.0 (Windows NT
> >> 6.1; rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
> >> 2011-08-22 22:01:56.960 [btpool0-10] DEBUG
> >> u.services.ProtectedPageGateKeeper2 - Page path: /group/members/3
> >> 2011-08-22 22:01:56.964 [btpool0-10] DEBUG
> u.s.UtskicketModule.RequestLogger
> >> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
> >> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
> >>
> >> Note: Now we get to the /noaccess page
> >>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> > For additional commands, e-mail: users-h...@tapestry.apache.org
> >
> >
>
>
>
> --
> Howard M. Lewis Ship
>
> Creator of Apache Tapestry
>
> The source for Tapestry training, mentoring and support. Contact me to
> learn how I can get you up and productive in Tapestry fast!
>
> (971) 678-5210
> http://howardlewisship.com
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>


-- 
[Hem: 08-715 59 57, Mobil: 070-991 86 42]
Allévägen 2A, 132 42 Saltsjö-Boo

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Howard Lewis Ship]

Actually, perhaps Tapestry's client-side support should, by default,
handle 302 correctly.

Currently, Tapestry's JSON response for partial page updates includes
a special key for performing a redirect.

On Mon, Aug 22, 2011 at 2:20 PM, Kalle Korhonen
 wrote:
> On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
>  wrote:
>> I just rewrote my very old ProtectedPageGateKeeper that implemented
>> Dispatcher with a new one
>> inspired by Howard's blog
>> http://tapestryjava.blogspot.com/search/label/security
>> The new one implements ComponentRequestFilter and is better suited for
>> protecting ajax enabled pages.
>> So I thought ...
>> Now to my problem:
>> The redirect that takes place after an ajax call seems to disappear into
>> thin air. I.e. the page displaying
>> a rollling ajax loader is not redirected to my /noacess page. I have to hit
>> a full page refresh for the redirect to work.
>> Is there some trick needed in order to get the redirect to work for an ajax
>> call.
>> Sorry for asking stupid newbie questions ... of course I have missed
>> something again!
>
> I don't think it's a stupid newbie question but obviously you cannot
> just send 302 uri as a response to an ajax request. If you want a full
> page refresh, you can handle it similarly how the tynamo-exceptionpage
> module (http://tynamo.org/tapestry-exceptionpage+guide) handles
> exceptions in ajax responses
> (http://svn.codehaus.org/tynamo/trunk/tapestry-exceptionpage/src/main/java/org/tynamo/exceptionpage/services/ConfigurableRequestExceptionHandler.java).
> Or, take a look at T5.3's new ajax error handler, rendering an iframe
> on the fly in response to an ajax error.
>
> Kalle
>
>
>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG u.s.UtskicketModule.RequestLogger
>> - Request: /group/members.grid.pager/1/grid (Method=POST,
>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
>> isXHR=true)
>> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
>> u.services.ProtectedPageGateKeeper2 - Page path:
>> /group/members.grid.pager/1/grid
>>
>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
>> - Request: /group/members.grid.pager/7/grid (Method=POST,
>> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
>> isXHR=true)
>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
>> u.services.ProtectedPageGateKeeper2 - Page path:
>> /group/members.grid.pager/7/grid
>> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
>> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
>> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
>>
>> Note: The return from the request above does not show up in the browser ...
>>
>> 2011-08-22 22:01:56.956 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
>> - Request: /group/members/3 (Method=GET, browser=Mozilla/5.0 (Windows NT
>> 6.1; rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
>> 2011-08-22 22:01:56.960 [btpool0-10] DEBUG
>> u.services.ProtectedPageGateKeeper2 - Page path: /group/members/3
>> 2011-08-22 22:01:56.964 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
>> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
>> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
>>
>> Note: Now we get to the /noaccess page
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>



-- 
Howard M. Lewis Ship

Creator of Apache Tapestry

The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!

(971) 678-5210
http://howardlewisship.com

-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

Re: Problem with securing ajax enabled Tapestry pages with Annotations ...

[Kalle Korhonen]

On Mon, Aug 22, 2011 at 1:27 PM, Gunnar Eketrapp
 wrote:
> I just rewrote my very old ProtectedPageGateKeeper that implemented
> Dispatcher with a new one
> inspired by Howard's blog
> http://tapestryjava.blogspot.com/search/label/security
> The new one implements ComponentRequestFilter and is better suited for
> protecting ajax enabled pages.
> So I thought ...
> Now to my problem:
> The redirect that takes place after an ajax call seems to disappear into
> thin air. I.e. the page displaying
> a rollling ajax loader is not redirected to my /noacess page. I have to hit
> a full page refresh for the redirect to work.
> Is there some trick needed in order to get the redirect to work for an ajax
> call.
> Sorry for asking stupid newbie questions ... of course I have missed
> something again!

I don't think it's a stupid newbie question but obviously you cannot
just send 302 uri as a response to an ajax request. If you want a full
page refresh, you can handle it similarly how the tynamo-exceptionpage
module (http://tynamo.org/tapestry-exceptionpage+guide) handles
exceptions in ajax responses
(http://svn.codehaus.org/tynamo/trunk/tapestry-exceptionpage/src/main/java/org/tynamo/exceptionpage/services/ConfigurableRequestExceptionHandler.java).
Or, take a look at T5.3's new ajax error handler, rendering an iframe
on the fly in response to an ajax error.

Kalle


> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG u.s.UtskicketModule.RequestLogger
> - Request: /group/members.grid.pager/1/grid (Method=POST,
> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
> isXHR=true)
> 2011-08-22 21:54:53.243 [btpool0-11] DEBUG
> u.services.ProtectedPageGateKeeper2 - Page path:
> /group/members.grid.pager/1/grid
>
> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
> - Request: /group/members.grid.pager/7/grid (Method=POST,
> browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
> isXHR=true)
> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG
> u.services.ProtectedPageGateKeeper2 - Page path:
> /group/members.grid.pager/7/grid
> 2011-08-22 22:01:06.500 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
>
> Note: The return from the request above does not show up in the browser ...
>
> 2011-08-22 22:01:56.956 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
> - Request: /group/members/3 (Method=GET, browser=Mozilla/5.0 (Windows NT
> 6.1; rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
> 2011-08-22 22:01:56.960 [btpool0-10] DEBUG
> u.services.ProtectedPageGateKeeper2 - Page path: /group/members/3
> 2011-08-22 22:01:56.964 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
> - Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
> rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
>
> Note: Now we get to the /noaccess page
>

-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

Problem with securing ajax enabled Tapestry pages with Annotations ...

[Gunnar Eketrapp]

I just rewrote my very old ProtectedPageGateKeeper that implemented
Dispatcher with a new one
inspired by Howard's blog
http://tapestryjava.blogspot.com/search/label/security

The new one implements ComponentRequestFilter and is better suited for
protecting ajax enabled pages.
So I thought ...

Now to my problem:

The redirect that takes place after an ajax call seems to disappear into
thin air. I.e. the page displaying
a rollling ajax loader is not redirected to my /noacess page. I have to hit
a full page refresh for the redirect to work.

Is there some trick needed in order to get the redirect to work for an ajax
call.

Sorry for asking stupid newbie questions ... of course I have missed
something again!

Thanks in advance!
Gunnar Eketrapp

2011-08-22 21:54:53.243 [btpool0-11] DEBUG u.s.UtskicketModule.RequestLogger
- Request: /group/members.grid.pager/1/grid (Method=POST,
browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
isXHR=true)
2011-08-22 21:54:53.243 [btpool0-11] DEBUG
u.services.ProtectedPageGateKeeper2 - Page path:
/group/members.grid.pager/1/grid

2011-08-22 22:01:06.500 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
- Request: /group/members.grid.pager/7/grid (Method=POST,
browser=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0,
isXHR=true)
2011-08-22 22:01:06.500 [btpool0-10] DEBUG
u.services.ProtectedPageGateKeeper2 - Page path:
/group/members.grid.pager/7/grid
2011-08-22 22:01:06.500 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
- Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)

Note: The return from the request above does not show up in the browser ...

2011-08-22 22:01:56.956 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
- Request: /group/members/3 (Method=GET, browser=Mozilla/5.0 (Windows NT
6.1; rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)
2011-08-22 22:01:56.960 [btpool0-10] DEBUG
u.services.ProtectedPageGateKeeper2 - Page path: /group/members/3
2011-08-22 22:01:56.964 [btpool0-10] DEBUG u.s.UtskicketModule.RequestLogger
- Request: /noaccess (Method=GET, browser=Mozilla/5.0 (Windows NT 6.1;
rv:5.0) Gecko/20100101 Firefox/5.0, isXHR=false)

Note: Now we get to the /noaccess page