Hi Oscar,
see my answers below:
Oscar Westra van Holthe - Kind wrote:
[snip]
One of the assumptions of the security interceptor I wrote, is that for
Sttipes to execute the event handler the bean must exist. This can be done
in several ways:
- via the usual Stripes event handling (for the bean called "actionBean")
- via the stripes tag useActionBean (which can also call an event handler)
Both of these are created (and have their properties set) when used. It is
therefore always possible to use them for security as well. Or so I thought;
as you're getting exceptions, this may be wrong.
So to find out what's happening, I'll list what I understand from the entire
process with respect to the security tag:
1. An action bean in instantiated by Stripes.
2. The security tag finds the bean instance and the Method that will handle
the named event (or the default event handler if no event is named)
3. The security manager is asked to check if access is allowed
4. The security manager returns Boolean.TRUE if so, Boolean.FALSE if not,
or null if some information is missing.
5. The tag shows it's content (or not) based on this result.
Based on testing I did, I think that it's unlikely that steps 2, 3 or 5
create problems. My guess is steps 1 and/or 4.
You mentioned that your bean cannot be instantiated, suggesting the problem is
in step 1. Why is that?
Problem is that when using stripes:useActionBean my "preload" methods
are called
e.g: one of my methods marked as:
@Before(stages = LifecycleStage.BindingAndValidation, on = {CREATE,
SAVE, EDIT, UPDATE})
loads quite lot of data and although it is within admin area and not
offten used
I would rather not run those queries.
Now, there are some beans that load data based on previous action so
I don't care if someone calls action directly (it just fails with an
exception)
e.g. a stupid example copuld be:
@Before(stages = LifecycleStage.BindingAndValidation)
void loadData(){
foo.load();
if(ctx.getEventName().equals("FOO")){
// load some more data if FOO
foo.loadMore();
}
}
Problem is however that ctx.getEventName() will throw NPE as event is
null when you use
stripes:useActionBean tag.
Now I have to say that I never used stripes:useActionBean tag before,
so I don't know what are best practices when using it...
Also, my navigation contains references to something like 20 or more
action beans,
so even if it would run without NPE's, preloading all those beans just
to check the roles,
is a lot of overhead..(especially knowing that calling
context.request.isUserInRole(..) should be enough...)
This is indeed one of the weaknesses of the security interceptor. On the
other hand, the bean object is short lived and doesn't have much properties
populated (if any). The memory nor the call stack will be overly burdened by
this I think. Especially compared to the rest of the request handling.
This may be true for the stripes part, except, if you hit database in
@Before / @After methods..(see above)
Also, we have @EJB's got injected in there and I am just not sure how
it's going to scale on a high load...
Now this is our first Stripes app and we are figuring out
what works well and what not for us;
one of the things that works well is preloading of data within
@Before /@After lifecycle methods, so I would rather keep it in there..
So, my suggestion to solve (my) ;-) problem here would be,
instead of:
1. An action bean in instantiated by Stripes.
something like:
1. An action bean is scanned on startup and all anotation data is stored so security manager can do access lookup
but, I haven't had a look into implementation, so, this may not work..
and thanks for your clarification (and code contribution)..
-m
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Stripes-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-users
