I'm going to move forward with this using more of a pure javascript approach than AJAX. To make things simple I'm just going to define a CommentAuthenticatorServlet which will generate the html for the comment authenticator challenge. Then i'll just use a little javascript which calls the comment authenticator servlet and inserts the html returned.
Now is the last chance to object to this approach and provide alternatives. -- Allen On Tue, 2006-01-03 at 13:27, Allen Gilliland wrote: > Another idea which may be easier in some ways would be to simply setup > the html for the comment authenticator with an <img> tag pointing at the > url "/roller/CommentAuthenticator". Depending on what authenticator is > configured it could return an image of a math question, or possibly > something else. This wouldn't be quite as flexible as an AJAX solution, > but right now we only have the math authenticator, so i'm not sure how > flexible we need to be. > > I'm not sure what would be involved in dynamically drawing an image of a > math question, but I would hope it's fairly easy. I'm not sure if this > would go against any accessiblity/usability guidlines though? > > -- Allen > > > Matt Raible wrote: > > On 1/3/06, Glenn Nielsen <[EMAIL PROTECTED]> wrote: > > > >>On Tue, Jan 03, 2006 at 12:51:22PM -0700, Matt Raible wrote: > >> > >>>On 1/3/06, Allen Gilliland <[EMAIL PROTECTED]> wrote: > >>> > >>>>team, > >>>> > >>>>just before the holidays, Dave and I discovered a rather unfortunate bug > >>>>created by the way the current comment authenticators work coupled with > >>>>how our page caching works. basically, because the comment > >>>>authenticators actually embed their html in the page at rendering time > >>>>the comment authentication cannot work on a cached page because the page > >>>>will display an old and false cached version of the authenticator html. > >>>> > >>>>the problem has technically existed for quite a long time, however it > >>>>wasn't noticed because in the past we used to have the old /comments/* > >>>>urls and we also didn't have the option of a non-expiring cache. now > >>>>that we allow any page to potentially be cached for a long time we need > >>>>a way to allow the comment authentication to remain dynamic. > >>>> > >>>>my initial thoughts are to use a little AJAX that will call back to a > >>>>servlet and ask how to authenticate. i don't have a proposal yet, but i > >>>>figured i'd ask around first and see if anyone has any other ideas of > >>>>how to tackle this. > >>> > >>>Doing this with Ajax should be easy enough - the question is how > >>>secure will it be. If it's JavaScript that can be called, what's to > >>>stop spammers from calling the same methods? > >> > >>I have been playing around with DWR for Ajax which integrates pretty > >>easily with a J2EE container and supports access controls using Realms. > >>I expect it would also work with Acegi. > >> > >>DWR: http://getahead.ltd.uk/dwr/ > >>DWR Security: http://getahead.ltd.uk/dwr/security > > > > > > Yes, DWR does work with Acegi - however, commentors aren't authenticated. > > ;-) > > > > Matt > > > > > >>Regards, > >> > >>Glenn > >>
