RE: [Tapestry-developer] Direct Login Suggestions

[Luke Galea]

Nice idea.. I have something similar for another Tapestry application (that has the same sub-class the restricted page deal.. but without examining the request parameters)..   Why not do it in the validate() method instead?   Luke Galea Software Development BlueCat Networks 905-762-5225   -----Original Message----- From: Phil Surette [mailto:[EMAIL PROTECTED]] Sent: December 5, 2002 11:48 AM To: Luke Galea; Tapestry Developer Subject: RE: [Tapestry-developer] Direct Login Suggestions   I did something like this a couple of weeks ago. I did not come up with a very elegant design but I'll share...   I have a RestrictedPage that restricted pages must subclass. In the RestrictedPage class I override beginResponse (seems to be the right place, but as usual I'm not too sure...) and in there call a 'restrictAccess' method.   restrictAccess does the following: -look in the visit to see if an 'authorized' property is set. -if not, check to see if an 'authorization' parameter was sent as an HTTP request parameter (cycle.getRequestContext().getRequest().getParameter... ) - if so, set the 'authorized' property in the visit. If not, send RedirectException to a 'you no can go here' page.   Then your email can create a url like http:/blah/blah?authorization=luke which will get the person in.   No matter how you sllice it with this approach, you will be suceptible to replay attacks... it's not great security. In my case it's really just for user convenience, not for security. -----Original Message----- From: Luke Galea [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 11:30 AM To: Tapestry Developer Subject: [Tapestry-developer] Direct Login Suggestions Hi again,             First I wanted to apologize for asking soooo many questions and thank everyone for giving me so much help.               Now onto my next question. The application we are developing is to have no login page, rather a URL with a generated code would be emailed to the users and they would use this link to login. I have some basic hunches on how to accomplish this, but I was wondering if I could get some feedback. I figure I will have to create my own service to handle this.. but then the trick is that the application that sends the emailed links to the users would not be written using tapestry.. just standard javamail.. so I question how I could generate the gesture to this service.   Part of the reason for this is that the email sent out to each user could be written in such a way that their mail viewer would pull the page directly from tapestry, and the link would be displayed only for those users without HTML support in their MUA. Ie. Something similar to the way that ebay, etc send periodic report emails.   Has anyone tackled something similar? I realize that if I wanted to pull off a ridiculous hack I could just forge the url and have an actionLink on the page that I wish them to enter from that logs them in.. but I am not sure if I could sleep at night if I did that…   Luke Galea Software Development BlueCat Networks 905-762-5225