You're right. We designed our app to only redirect from validate() to known valid pages. But I guess if we want a more generally useful and airtight page validation system tapestry should handle the case of validation "chains".
regards,
Joseph Panico
[EMAIL PROTECTED]
From: julien viet <[EMAIL PROTECTED]>
Reply-To: julien viet <[EMAIL PROTECTED]>
To: "Joseph Panico" <[EMAIL PROTECTED]>
Subject: Re[2]: [Tapestry-developer] Direct Login Suggestions
Date: Thu, 5 Dec 2002 12:11:11 -0500
Hello Joseph,
the problem is that validate is called only once so you you redirect
to a page it will never validate again.
If you respond in a page by redirecting to another page
that should be protected, it will not validate it.
Thursday, December 5, 2002, 12:01:12 PM, you wrote:
JP> Phil,
>>beginResponse
JP> I think the validate() method was designed to handle just this scenario.
JP> That's where we are implementing the logic you describe
JP> Joseph Panico
JP> [EMAIL PROTECTED]
>>From: Phil Surette <[EMAIL PROTECTED]>
>>To: "'Luke Galea'" <[EMAIL PROTECTED]>, Tapestry Developer
>><[EMAIL PROTECTED]>
>>Subject: RE: [Tapestry-developer] Direct Login Suggestions
>>Date: Thu, 5 Dec 2002 11:48:25 -0500
>>
>>I did something like this a couple of weeks ago. I did not come up with a
>>very elegant design but I'll share...
>>
>>I have a RestrictedPage that restricted pages must subclass. In the
>>RestrictedPage class I override beginResponse (seems to be the right place,
>>but as usual I'm not too sure...) and in there call a 'restrictAccess'
>>method.
>>
>>restrictAccess does the following:
>>-look in the visit to see if an 'authorized' property is set.
>>-if not, check to see if an 'authorization' parameter was sent as an HTTP
>>request parameter (cycle.getRequestContext().getRequest().getParameter... )
>>- if so, set the 'authorized' property in the visit. If not, send
>>RedirectException to a 'you no can go here' page.
>>
>>Then your email can create a url like http:/blah/blah?authorization=luke
>>which will get the person in.
>>
>>No matter how you sllice it with this approach, you will be suceptible to
>>replay attacks... it's not great security. In my case it's really just for
>>user convenience, not for security.
>>-----Original Message-----
>>From: Luke Galea [mailto:[EMAIL PROTECTED]]
>>Sent: Thursday, December 05, 2002 11:30 AM
>>To: Tapestry Developer
>>Subject: [Tapestry-developer] Direct Login Suggestions
>>
>>
>>Hi again,
>> First I wanted to apologize for asking soooo many questions
>>and
>>thank everyone for giving me so much help.
>>
>> Now onto my next question. The application we are developing
>>is
>>to have no login page, rather a URL with a generated code would be emailed
>>to the users and they would use this link to login. I have some basic
>>hunches on how to accomplish this, but I was wondering if I could get some
>>feedback. I figure I will have to create my own service to handle this..
>>but
>>then the trick is that the application that sends the emailed links to the
>>users would not be written using tapestry.. just standard javamail.. so I
>>question how I could generate the gesture to this service.
>>
>>Part of the reason for this is that the email sent out to each user could
>>be
>>written in such a way that their mail viewer would pull the page directly
>>from tapestry, and the link would be displayed only for those users without
>>HTML support in their MUA. Ie. Something similar to the way that ebay, etc
>>send periodic report emails.
>>
>>Has anyone tackled something similar? I realize that if I wanted to pull
>>off
>>a ridiculous hack I could just forge the url and have an actionLink on the
>>page that I wish them to enter from that logs them in.. but I am not sure
>>if
>>I could sleep at night if I did that...
>>
>>Luke Galea
>>Software Development
>>BlueCat <http://www.bluecatnetworks.com/> Networks
>>905-762-5225
>>
JP> _________________________________________________________________
JP> Help STOP SPAM with the new MSN 8 and get 2 months FREE*
JP> http://join.msn.com/?page=features/junkmail
JP> -------------------------------------------------------
JP> This sf.net email is sponsored by:ThinkGeek
JP> Welcome to geek heaven.
JP> http://thinkgeek.com/sf
JP> _______________________________________________
JP> Tapestry-developer mailing list
JP> [EMAIL PROTECTED]
JP> https://lists.sourceforge.net/lists/listinfo/tapestry-developer
--
Best regards,
julien mailto:[EMAIL PROTECTED]
___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en fran�ais !
Yahoo! Mail : http://fr.mail.yahoo.com
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Tapestry-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/tapestry-developer
