Em Mon, 28 Dec 2009 20:49:09 -0200, Howard <hls...@gmail.com> escreveu:
Instead, let's pursue a more declarative approach, where we use an
annotation to mark pages that require that the user be logged in. We'll
start with these ground rules:
- Pages are freely accessible by anyone, unless they have
a @RequiresLogin annotation
That's exactly the approach used in my Tapestry Security package. It's not
released yet nor it has documentation, but I'm already using it in
production for a public Internet website (www.pronutricionista.com.br).
Tapestry Security sources are available for browsing at
http://ars-machina.svn.sourceforge.net/viewvc/ars-machina/tapestry-security/trunk/
and checkout at
https://ars-machina.svn.sourceforge.net/svnroot/ars-machina/tapestry-security/trunk.
There's a @NeedsLoggedInUser annotation that is processed by a Dispatcher.
It throws an AnonymousAccessDeniedException when a not logged in user
attempts to read that page. Tapestry Security is built on top of Generic
Authentication and Generic Authorization, two other packages in the same
repository. Generic Authentication defines User, Permission,
PermissionGroup, and UserGroup classes. There's another annotation,
@NeedsPermission, denies access to unlogged users and logged user that
don't have the need permission(s). Generic Authorization defines a
framework for controlling access to reading, creating, updating, and
removing objects, both at object and class level. Then Tapestry CRUD (even
another package inside the Ars Machina Project) uses them to automatically
secure CRUD pages.
I wish I had the opportunity the document and write unit test for them, so
I could donate them to Tapestry, a project that requires very high quality
code.
Everyone is invited to checkout the code and post opinions and suggestions
in the mailing list or send them to me directly.
- There's already some kind of UserAuthentication service that knows if
the user is currently logged in or not, and (if logged in) who they
are, as a User object
Tapestry Security has an UserService service that does exactly that. Maybe
we could reuse it in Tapestry itself.
application to continue after the user logs in. Finally, the
AuthenticationService is not part of Tapestry ... it is something
specific to the application.
Tapestry could define an AuthenticationService interface and just provide
a dummy one out-of-the-box. Other packages could overwrite the
implementation of this service.
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, software architect and developer, Ars Machina Tecnologia da
Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org