Daniel,
I was looking at this problem the other day, and you should look at the
ComponentEventDispatcher. I think you need to first check if you get a
matching page, and then check if you have an event. You can then extract
the Pagename from the request path using that monster Reg exp. Sadly,
this all relies on internal code :-(
Maybe there's a service for extracting the pagename from any request,
but I guess that's not possible, because of the way people contribute
Dispatchers.
Hope this helps,
Jonathan
On 05/02/2009 10:24, Daniel Jones wrote:
Hi there,
I have implemented and contributed a Dispatcher in order to secure access to
pages based on the users role. This is similar to the tutorial on the wiki,
although I have used annotations, so I can attach @Secured("ROLE_ADMIN") to
the page class. This works very well and the user is redirected to the
login page if they do not have the required privileges.
So my problem is that ActionLinks on these pages are unprotected. If I was
a malicious user and somehow managed to guess the URL to one of these
actions, even though they are redirected to the login page by my Dispatcher,
the action is still invoked.
How do I protect these links, and is the same true for forms as well? What
do I need to implement in order to catch these requests (RequestFilter?)
Ideally, if my dispatcher deems that the user does not have enough
privilidges (the page is @Secured("ROLE_ADMIN") for instance) then all of
the action links on this page would also require this role to be invoked.
On pages where the the role required is less than admin, for example,
ROLE_USER, these pages could contain actions that are only for
administrators, so it would be nice to attach an annotation to the
onAction() methods where increased security is required.
If someone can shed some light on the best way of implementing this I would
appreciate it very much. I don't want to write boilerplate code at the
start of every onAction() method that needs to be secured, and I don't want
to extend base classes or mess about with onActivate() so ideally I would
like a solution that is similar to the dispatcher or some sort of filter.
Many Thanks,
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
