Harry --
With Stripes Interceptors, the way it works is that its intercept()
method fires before, after, or during particular Stripes lifecycle
stages. The Interceptor has a return type called Resolution, the two
most common types of which are ForwardResolution and
RedirectResolution. If the Interceptor returns a Resolution, the
controller (StripesFilter/Dispatcher) executes it. Otherwise,
execution continues.
Security-type Interceptors typically emit Redirect or Forward
Resolutions if access checks fail, or null (do nothing) if they succeed.
BTW, you can also check out WikiInterceptor in STRIPES_BRANCH to see
how we're going to do it in 3.0.
Andrew
On Nov 27, 2008, at 1:15, Harry Metske <[EMAIL PROTECTED]> wrote:
yes I have read about that but wasn't sure if it would help me.
the important point thing you say here is "forward the user as
needed to a
login or "unauthorized" page if the role check fails" with the
emphasis on
login page.
So if I understand it correctly, users that don't have an account
should
still be able to use the "Read functions" that way.
I'll have a look at it and see if I can make it work, thanks for the
help !
regards,
Harry
2008/11/27 Andrew Jaquith <[EMAIL PROTECTED]>
I am not sure if this will be possible, but it seems to me that you
should
not have to use multiple URLs for the scenario you described.
For role-based access to particular ActionBean methods, I recommend
annotating the handler methods (read, edit etc) with annotations
that denote
the roles that are allowed to execute them. Then, you would provide
an
Interceptor implementation that fires after event resolution but
before
validation. The Interceptor's job would be to make the authorization
decision and forward the user as needed to a login or
"unauthorized" page if
the role check fails.
This is actualy a pretty simple and elegant approach because you
don't need
to modify ActionBeans, or use separate URL schemes, to do it. This
Interceptor-based approach is the strategy JSPWiki 3 takes.
There is a community-developed SecurityInterceptor floating around
on the
Stripes site somewhere. You should take a look at that first.
Regards,
Andrew
On Nov 26, 2008, at 16:01, Harry Metske <[EMAIL PROTECTED]>
wrote:
Andrew,
will it then be possible to have more than one URL bound to the same
ActionBean ?
I ask because I currently work on a simple Stripes based CRUD
application,
and I'm using the same ActionBean for all actions (Create, Read,
Update,
Delete).
I want read to be publicly available, but the others should be J2EE
protected with a security-constraint.
So would it be possible to have 2 URLs , like :
/nonpub/MyActionBean
/pub/MyActionBean
Where only the first one is protected.
Of course, there is some additional security checking required in
the
ActionBean.
regards,
Harry
2008/11/26 Andrew Jaquith <[EMAIL PROTECTED]>
FYI --
Ben Gunter @ the Stripes project just committed a new enhancement
that
I'd
requested in August, namely the ability to create ActionBean
URLBindings
from arbitrary String patterns. It will ship in 1.5.1.
This is excellent news because it makes it possible for third
parties
(like
us) to fairly easily create, for example, URLBinding patterns
that are
read
from text files. This gives us an option for binding URLs to
ActionBeans
other than the default method, which is to get them from class
annotations.
My intent is to create a FileActionResolver to do this, at a
slightly
later
point in the 3.0 dev cycle.
For the Americans on this list -- happy Thanksgiving.
Andrew
