Phil,
I think the validate() method was designed to handle just this scenario. That's where we are implementing the logic you describebeginResponse
Joseph Panico
[EMAIL PROTECTED]
From: Phil Surette <[EMAIL PROTECTED]>
To: "'Luke Galea'" <[EMAIL PROTECTED]>, Tapestry Developer <[EMAIL PROTECTED]>
Subject: RE: [Tapestry-developer] Direct Login Suggestions
Date: Thu, 5 Dec 2002 11:48:25 -0500
I did something like this a couple of weeks ago. I did not come up with a
very elegant design but I'll share...
I have a RestrictedPage that restricted pages must subclass. In the
RestrictedPage class I override beginResponse (seems to be the right place,
but as usual I'm not too sure...) and in there call a 'restrictAccess'
method.
restrictAccess does the following:
-look in the visit to see if an 'authorized' property is set.
-if not, check to see if an 'authorization' parameter was sent as an HTTP
request parameter (cycle.getRequestContext().getRequest().getParameter... )
- if so, set the 'authorized' property in the visit. If not, send
RedirectException to a 'you no can go here' page.
Then your email can create a url like http:/blah/blah?authorization=luke
which will get the person in.
No matter how you sllice it with this approach, you will be suceptible to
replay attacks... it's not great security. In my case it's really just for
user convenience, not for security.
-----Original Message-----
From: Luke Galea [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 05, 2002 11:30 AM
To: Tapestry Developer
Subject: [Tapestry-developer] Direct Login Suggestions
Hi again,
First I wanted to apologize for asking soooo many questions and
thank everyone for giving me so much help.
Now onto my next question. The application we are developing is
to have no login page, rather a URL with a generated code would be emailed
to the users and they would use this link to login. I have some basic
hunches on how to accomplish this, but I was wondering if I could get some
feedback. I figure I will have to create my own service to handle this.. but
then the trick is that the application that sends the emailed links to the
users would not be written using tapestry.. just standard javamail.. so I
question how I could generate the gesture to this service.
Part of the reason for this is that the email sent out to each user could be
written in such a way that their mail viewer would pull the page directly
from tapestry, and the link would be displayed only for those users without
HTML support in their MUA. Ie. Something similar to the way that ebay, etc
send periodic report emails.
Has anyone tackled something similar? I realize that if I wanted to pull off
a ridiculous hack I could just forge the url and have an actionLink on the
page that I wish them to enter from that logs them in.. but I am not sure if
I could sleep at night if I did that...
Luke Galea
Software Development
BlueCat <http://www.bluecatnetworks.com/> Networks
905-762-5225
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Tapestry-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/tapestry-developer
