Hello,
I tried implementing it exactly as you suggested but I still get to see the
first page. Once I refresh or try to go somewhere it sends me to the login
page.
The funny thing is, the PageRedirectException IS being thrown, its just not
going to the login page.
Any ideas?
--James
----- Original Message -----
From: "Nikla Ratinen" <[EMAIL PROTECTED]>
To: "Tapestry users" <users@tapestry.apache.org>
Sent: Friday, February 23, 2007 1:02 PM
Subject: Re: Page Validation
Hi,
As an alternate approach you may override the default page source with an
implementation
that checks security constraints just before giving out the page
instance - this basically has the
added benefit that secured page instances may not be obtained even through
(accidental) malicious code in non-secure pages or services.
-- Overridden engine
public class MyEngine extends BaseEngine
{
protected IPageSource createPageSource(RequestContext context)
{
return new ProtectedPageSource(this);
}
}
-- Overridden page source
public class ProtectedPageSource extends PageSource
{
public ProtectedPageSource(IEngine engine)
{
super(engine);
}
public IPage getPage(IRequestCycle cycle, String pageName, IMonitor
monitor)
{
IPage page = super.getPage(cycle, pageName, monitor);
if (page != null && page instanceof ProtectedPage)
{
Visit visit = (Visit) cycle.getEngine().getVisit();
if (visit == null || visit.getUser() == null)
throw new PageRedirectException("Login"); }
return page;
}
}
-- A protected page
public class ProtectedPage
extends BasePage
{
}
Something along those lines ;)
Cheers,
-- Nikla
Mark Stang wrote:
Hi,
This seems to work for us.
public class ValidatePage
extends BasePage
implements PageValidateListener
{
public void pageValidate(PageEvent event)
{
Mediator mediator = MgmtFactory.getMediator();
if (!mediator.isConsole())
{
IPage messagePage =
getRequestCycle().getPage("nonAdminConsole");
throw new PageRedirectException(messagePage);
}
else
{
// If there is no visit object or the user isn't auth'd ship
// them off to the login page
Visit visit = (Visit)getVisit();
if (visit == null || !visit.isUserAuthenticated())
{
Login login = (Login)getRequestCycle().getPage("login");
throw new PageRedirectException(login);
}
}
}
}
I tried a couple of different experiments. The first was to log in and
copy a link then close the browser. I wasn't able to get to the page via
the direct link. If I "logout" and try and access the page via a direct
link, I don't get access. If I log in and copy a link and then surf off
to another page, then I can come back via the direct link. All of this
is based on my use of a session and the visit object. So, reviewing you
code, I would think you need to have to check more than if the visit
exists. You need to store a flag saying they they have been
authenticated.
regards,
Mark
Mark J. Stang
Senior Engineer/Architect
office: +1 303.468.2900
mobile: +1 303.507.2833
Ping Identity
-----Original Message-----
From: James Sherwood [mailto:[EMAIL PROTECTED]
Sent: Fri 2/23/2007 6:34 AM
To: Tapestry users
Subject: Page Validation
Hello,
We use Tapestry 3.2
I have security (login) using PageValidateListener.
The secure page in the site is called ISOPage which extends BasePage.
I add the page validation using:
public ISOPage(){
super();
addPageValidateListener(new PageValidationListener());
}
The PageValidationListener class implements PageValidateListener and does
security like this:
if(visit.getUser() == null){
throw new PageRedirectException("UserLogin");
}
This all works fine it seems unless a direct is involved.
If I copy a directlink then try to access it without loggin in it shows
me the page the directlink java code is on.
The PageRedirectException does happen and if I refresh or try to go
anywhere it sends me to the login but it still shows that page first.
Any ideas?
Thanks,
James
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
__________ NOD32 2077 (20070223) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
