Another idea which may be easier in some ways would be to simply setup
the html for the comment authenticator with an <img> tag pointing at the
url "/roller/CommentAuthenticator". Depending on what authenticator is
configured it could return an image of a math question, or possibly
something else. This wouldn't be quite as flexible as an AJAX solution,
but right now we only have the math authenticator, so i'm not sure how
flexible we need to be.
I'm not sure what would be involved in dynamically drawing an image of a
math question, but I would hope it's fairly easy. I'm not sure if this
would go against any accessiblity/usability guidlines though?
-- Allen
Matt Raible wrote:
On 1/3/06, Glenn Nielsen <[EMAIL PROTECTED]> wrote:
On Tue, Jan 03, 2006 at 12:51:22PM -0700, Matt Raible wrote:
On 1/3/06, Allen Gilliland <[EMAIL PROTECTED]> wrote:
team,
just before the holidays, Dave and I discovered a rather unfortunate bug
created by the way the current comment authenticators work coupled with
how our page caching works. basically, because the comment
authenticators actually embed their html in the page at rendering time
the comment authentication cannot work on a cached page because the page
will display an old and false cached version of the authenticator html.
the problem has technically existed for quite a long time, however it
wasn't noticed because in the past we used to have the old /comments/*
urls and we also didn't have the option of a non-expiring cache. now
that we allow any page to potentially be cached for a long time we need
a way to allow the comment authentication to remain dynamic.
my initial thoughts are to use a little AJAX that will call back to a
servlet and ask how to authenticate. i don't have a proposal yet, but i
figured i'd ask around first and see if anyone has any other ideas of
how to tackle this.
Doing this with Ajax should be easy enough - the question is how
secure will it be. If it's JavaScript that can be called, what's to
stop spammers from calling the same methods?
I have been playing around with DWR for Ajax which integrates pretty
easily with a J2EE container and supports access controls using Realms.
I expect it would also work with Acegi.
DWR: http://getahead.ltd.uk/dwr/
DWR Security: http://getahead.ltd.uk/dwr/security
Yes, DWR does work with Acegi - however, commentors aren't authenticated. ;-)
Matt
Regards,
Glenn
