I created the ComponentRequestHandler service (a pipeline, with
filters) for this purpose; to make a single logical place to put
filters for both page render requests and component event requests.
public interface ComponentRequestHandler
{
/**
* Handler for a component action request which will trigger an
event on a component and use the return value to
* send a response to the client (typically, a redirect to a page
render URL).
*
* @param parameters defining the requst
*/
void handleComponentEvent(ComponentEventRequestParameters
parameters) throws IOException;
/**
* Invoked to activate and render a page. In certain cases, based
on values returned when activating the page, a
* {...@link org.apache.tapestry5.services.ComponentEventResultProcessor}
may be used to send an alternate response
* (typically, a redirect).
*
* @param parameters defines the page name and activation context
*/
void handlePageRender(PageRenderRequestParameters parameters)
throws IOException;
}
On Tue, Aug 25, 2009 at 7:26 AM, Sebastian
Hennebrueder<[email protected]> wrote:
> Hello,
>
> the examples in the Wiki uses either a request filter or a request
> dispatcher. Both solutions extract the page name in order to check if
> there are any restrictions. This code orginally comes from the
> PageRenderDispatcher.
>
> String pageName;
> String path = request.getPath();
> int nextslashx = path.length();
>
> while (true) {
> pageName = path.substring(1, nextslashx);
> if (!pageName.endsWith("/") &&
> componentClassResolver.isPageName(pageName))
> break;
> nextslashx = path.lastIndexOf('/', nextslashx - 1);
> if (nextslashx <= 1) {
> pageName = null;
> break;
> }
>
> }
> return pageName;
>
>
> The issue with this approach is that Component events are not validated.
> If I submit a form, the complete form processing can happen without any
> security validation.
> the submit sends a URL like mypage.myform.form This kind of URL is not
> resolved to a page and as a consequence no validaton takes place.
>
> A correct implementation needs to implement the page name extraction as
> done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as
> in the decodePageRenderRequest method of the same class.
> In addition a Dispatcher implementation needs to take care that it is
> called before the ComponentDispatcher.
>
> The following documentation is affected
> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher
> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2
> http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess
>
> I haven't checked the Acegi Integration howtos.
>
> Can someone please validate this? I think we need to provide either a
> service to decode page names or at least show how to do it properly.
>
>
> --
> Best Regards / Viele Grüße
>
> Sebastian Hennebrueder
> -----
> Software Developer and Trainer for Hibernate / Java Persistence
> http://www.laliluna.de
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
