Hi All, The Tapestry Hotel demo app has proven a good lesson in implementing AUTHENTICATION. Having developed a multi-user Tapestry app, I now need to implement AUTHORISATION, but the Hotel demo app is aimed at just one user type: visitors.
I created a role table in my Tapestry application (screenshot attached). Permissions are specified in terms of CRUD actions, meaning there are four columns for each domain (Hibernate) entity: e.g. CAN_CREATE_USER, CAN_READ_USER, CAN_UPDATE_USER, CAN_DELETE_USER, etc. The Hotel demo app enforces authentication by including or excluding the @AnonymousAccess annotation on page classes. I imagine enforcing page authorisation could be done similarly, using a single annotation. This could prevent users lacking the necessary privilege from accessing certain pages, for instance 'pages/DeleteUser.java'. Ideally, though, it would be desirable to also prevent users from navigating to such pages in the first place. Either the PageLink icon is greyed out, or there is no link. I am seeking some direction - perhaps even some example code - in how to have my Tapestry application enforce the privileges specified in my role table. Thanks & regards, Chris.
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
