On Tue, Jan 03, 2006 at 12:51:22PM -0700, Matt Raible wrote: > On 1/3/06, Allen Gilliland <[EMAIL PROTECTED]> wrote: > > team, > > > > just before the holidays, Dave and I discovered a rather unfortunate bug > > created by the way the current comment authenticators work coupled with > > how our page caching works. basically, because the comment > > authenticators actually embed their html in the page at rendering time > > the comment authentication cannot work on a cached page because the page > > will display an old and false cached version of the authenticator html. > > > > the problem has technically existed for quite a long time, however it > > wasn't noticed because in the past we used to have the old /comments/* > > urls and we also didn't have the option of a non-expiring cache. now > > that we allow any page to potentially be cached for a long time we need > > a way to allow the comment authentication to remain dynamic. > > > > my initial thoughts are to use a little AJAX that will call back to a > > servlet and ask how to authenticate. i don't have a proposal yet, but i > > figured i'd ask around first and see if anyone has any other ideas of > > how to tackle this. > > Doing this with Ajax should be easy enough - the question is how > secure will it be. If it's JavaScript that can be called, what's to > stop spammers from calling the same methods?
I have been playing around with DWR for Ajax which integrates pretty easily with a J2EE container and supports access controls using Realms. I expect it would also work with Acegi. DWR: http://getahead.ltd.uk/dwr/ DWR Security: http://getahead.ltd.uk/dwr/security Regards, Glenn
