On 1/3/06, Glenn Nielsen <[EMAIL PROTECTED]> wrote: > On Tue, Jan 03, 2006 at 12:51:22PM -0700, Matt Raible wrote: > > On 1/3/06, Allen Gilliland <[EMAIL PROTECTED]> wrote: > > > team, > > > > > > just before the holidays, Dave and I discovered a rather unfortunate bug > > > created by the way the current comment authenticators work coupled with > > > how our page caching works. basically, because the comment > > > authenticators actually embed their html in the page at rendering time > > > the comment authentication cannot work on a cached page because the page > > > will display an old and false cached version of the authenticator html. > > > > > > the problem has technically existed for quite a long time, however it > > > wasn't noticed because in the past we used to have the old /comments/* > > > urls and we also didn't have the option of a non-expiring cache. now > > > that we allow any page to potentially be cached for a long time we need > > > a way to allow the comment authentication to remain dynamic. > > > > > > my initial thoughts are to use a little AJAX that will call back to a > > > servlet and ask how to authenticate. i don't have a proposal yet, but i > > > figured i'd ask around first and see if anyone has any other ideas of > > > how to tackle this. > > > > Doing this with Ajax should be easy enough - the question is how > > secure will it be. If it's JavaScript that can be called, what's to > > stop spammers from calling the same methods? > > I have been playing around with DWR for Ajax which integrates pretty > easily with a J2EE container and supports access controls using Realms. > I expect it would also work with Acegi. > > DWR: http://getahead.ltd.uk/dwr/ > DWR Security: http://getahead.ltd.uk/dwr/security
Yes, DWR does work with Acegi - however, commentors aren't authenticated. ;-) Matt > > Regards, > > Glenn >
