Hi there,
I have implemented and contributed a Dispatcher in order to secure access to
pages based on the users role. This is similar to the tutorial on the wiki,
although I have used annotations, so I can attach @Secured("ROLE_ADMIN") to
the page class. This works very well and the user is redirected to the
login page if they do not have the required privileges.
So my problem is that ActionLinks on these pages are unprotected. If I was
a malicious user and somehow managed to guess the URL to one of these
actions, even though they are redirected to the login page by my Dispatcher,
the action is still invoked.
How do I protect these links, and is the same true for forms as well? What
do I need to implement in order to catch these requests (RequestFilter?)
Ideally, if my dispatcher deems that the user does not have enough
privilidges (the page is @Secured("ROLE_ADMIN") for instance) then all of
the action links on this page would also require this role to be invoked.
On pages where the the role required is less than admin, for example,
ROLE_USER, these pages could contain actions that are only for
administrators, so it would be nice to attach an annotation to the
onAction() methods where increased security is required.
If someone can shed some light on the best way of implementing this I would
appreciate it very much. I don't want to write boilerplate code at the
start of every onAction() method that needs to be secured, and I don't want
to extend base classes or mess about with onActivate() so ideally I would
like a solution that is similar to the dispatcher or some sort of filter.
Many Thanks,
Daniel
--
View this message in context:
http://www.nabble.com/Protecting-ActionLinks-when-using-a-Dispatcher.-tp21848757p21848757.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
