BTW, if we don't have any major bugs in 2.8.1 in the next week or so,
I think we should start merging the Stripes stuff. After that I can
start committing the JCR stuff (which really needs some of the new
classes to be available).
Yee-haw! Let's break the trunk!
/Janne
On Nov 27, 2008, at 16:43 , Andrew Jaquith wrote:
Harry --
With Stripes Interceptors, the way it works is that its intercept()
method fires before, after, or during particular Stripes lifecycle
stages. The Interceptor has a return type called Resolution, the
two most common types of which are ForwardResolution and
RedirectResolution. If the Interceptor returns a Resolution, the
controller (StripesFilter/Dispatcher) executes it. Otherwise,
execution continues.
Security-type Interceptors typically emit Redirect or Forward
Resolutions if access checks fail, or null (do nothing) if they
succeed.
BTW, you can also check out WikiInterceptor in STRIPES_BRANCH to
see how we're going to do it in 3.0.
Andrew
On Nov 27, 2008, at 1:15, Harry Metske <[EMAIL PROTECTED]> wrote:
yes I have read about that but wasn't sure if it would help me.
the important point thing you say here is "forward the user as
needed to a
login or "unauthorized" page if the role check fails" with the
emphasis on
login page.
So if I understand it correctly, users that don't have an account
should
still be able to use the "Read functions" that way.
I'll have a look at it and see if I can make it work, thanks for
the help !
regards,
Harry
2008/11/27 Andrew Jaquith <[EMAIL PROTECTED]>
I am not sure if this will be possible, but it seems to me that
you should
not have to use multiple URLs for the scenario you described.
For role-based access to particular ActionBean methods, I recommend
annotating the handler methods (read, edit etc) with annotations
that denote
the roles that are allowed to execute them. Then, you would
provide an
Interceptor implementation that fires after event resolution but
before
validation. The Interceptor's job would be to make the authorization
decision and forward the user as needed to a login or
"unauthorized" page if
the role check fails.
This is actualy a pretty simple and elegant approach because you
don't need
to modify ActionBeans, or use separate URL schemes, to do it. This
Interceptor-based approach is the strategy JSPWiki 3 takes.
There is a community-developed SecurityInterceptor floating
around on the
Stripes site somewhere. You should take a look at that first.
Regards,
Andrew
On Nov 26, 2008, at 16:01, Harry Metske <[EMAIL PROTECTED]>
wrote:
Andrew,
will it then be possible to have more than one URL bound to the
same
ActionBean ?
I ask because I currently work on a simple Stripes based CRUD
application,
and I'm using the same ActionBean for all actions (Create, Read,
Update,
Delete).
I want read to be publicly available, but the others should be J2EE
protected with a security-constraint.
So would it be possible to have 2 URLs , like :
/nonpub/MyActionBean
/pub/MyActionBean
Where only the first one is protected.
Of course, there is some additional security checking required
in the
ActionBean.
regards,
Harry
2008/11/26 Andrew Jaquith <[EMAIL PROTECTED]>
FYI --
Ben Gunter @ the Stripes project just committed a new
enhancement that
I'd
requested in August, namely the ability to create ActionBean
URLBindings
from arbitrary String patterns. It will ship in 1.5.1.
This is excellent news because it makes it possible for third
parties
(like
us) to fairly easily create, for example, URLBinding patterns
that are
read
from text files. This gives us an option for binding URLs to
ActionBeans
other than the default method, which is to get them from class
annotations.
My intent is to create a FileActionResolver to do this, at a
slightly
later
point in the 3.0 dev cycle.
For the Americans on this list -- happy Thanksgiving.
Andrew
