Hi there, I have implemented and contributed a Dispatcher in order to secure access to pages based on the users role. This is similar to the tutorial on the wiki, although I have used annotations, so I can attach @Secured("ROLE_ADMIN") to the page class. This works very well and the user is redirected to the login page if they do not have the required privileges.
So my problem is that ActionLinks on these pages are unprotected. If I was a malicious user and somehow managed to guess the URL to one of these actions, even though they are redirected to the login page by my Dispatcher, the action is still invoked. How do I protect these links, and is the same true for forms as well? What do I need to implement in order to catch these requests (RequestFilter?) Ideally, if my dispatcher deems that the user does not have enough privilidges (the page is @Secured("ROLE_ADMIN") for instance) then all of the action links on this page would also require this role to be invoked. On pages where the the role required is less than admin, for example, ROLE_USER, these pages could contain actions that are only for administrators, so it would be nice to attach an annotation to the onAction() methods where increased security is required. If someone can shed some light on the best way of implementing this I would appreciate it very much. I don't want to write boilerplate code at the start of every onAction() method that needs to be secured, and I don't want to extend base classes or mess about with onActivate() so ideally I would like a solution that is similar to the dispatcher or some sort of filter. Many Thanks, Daniel -- View this message in context: http://www.nabble.com/Protecting-ActionLinks-when-using-a-Dispatcher.-tp21848757p21848757.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org