Rob Berens wrote:
> We identified this problem already and decided to solve it by
> having a different way of making the continuation request. In
> our case we use the original request with a request paremater e.g
>
> Original request:
> mywebapp/original.html
>
> Continuation request:
> mywebapp/original.html?continuation=123456
>
> The sitemap does auhorization based on the request without
> taken into consideration a possible continuation parameter
> and therefore both the original request and the continuation
> request are checked in the same way. A fter the authorization
> has taken place the continuation is detected by:
>
> <map:match pattern="continuation" type="request-parameter">
> <map:call continuation="{1}"/>
> </map:match>
>
> Of course adding a request parameter to the original request
> is a bit thougher then just replacing the last part by
> 123456.continue. To solve this we have a transformer that,
> apart from many other things, for several attributes like
> href, src etc. replaces the string:
> continuation:123456
>
> by the original request with a continuation parameter e.g.
> /mywebapp/original.html?continuation=123456
>
> So it is something like a continuation pseudo protocol.
>
Hmm, I might be wrong, but does this really protect you?
If you have a flow that is usable by not authenticated users,
you run into the same problem I think.
Carsten
