[ http://issues.apache.org/jira/browse/TAPESTRY-936?page=comments#action_12378054 ]
Brian K. Wallace commented on TAPESTRY-936: ------------------------------------------- I'm firmly against putting any kind of invasive authentication mechanism in Tapestry itself. Taking the "focus" approach, I prefer to have tapestry server my content and rely on an external authentication mechanism (in my case ACEGI) to handle all authentication / authorization. If you utilize friendly URLs and ACEGI, adding authentication and authorization to any Tapestry application is very trivial and, except for login/logout, non-invasive. > Provide basic authentication mecanisms > -------------------------------------- > > Key: TAPESTRY-936 > URL: http://issues.apache.org/jira/browse/TAPESTRY-936 > Project: Tapestry > Type: Improvement > Components: Framework > Versions: 4.1 > Reporter: Henri Dupre > > Several implementation details (creation of ICallbacks and page redirection) > make adding authentication to a tapestry application not a trivial task. > Page redirection can only be done in page validate thus making impossible to > capture the state of a page (for instance, properties + parameters of an > activateExternalPage). > After looking at the code, this has implications in the core of the engine > itself and making these changes might not be trivial. But instead of adding > features for generating ICallbacks and page redirection, why not directly > wire an authentication API inside the framework? > Here is a suggestion: > - provide a blank AuthenticatedPage interface or configuration that allows > pages to say that they require authentication > - provide a hivemind configuration point to plug an authentication service: > this service has methods to figure out if a user is authenticated or not and > also provides a page name that is called when a user is not authenticated > - the authentication pages have to implement a specific interface or another > mecanism that tell that the authentication process is finished (the process > might consist of several pages, e.g. new account creation) > - the engine takes care of the rest: before calling the authentication page, > a basic state is captured after the page is setup (all declared properties > are saved), and once the authentication process is finished, all that state > is restored and the page is called -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
