[ http://issues.apache.org/jira/browse/TAPESTRY-936?page=comments#action_12378064 ]
Henri Dupre commented on TAPESTRY-936: -------------------------------------- This type of API wouldn't even be an authentication mecanism itself but rather low level plumming to plug an authentication framework in Tapestry. I'm not too familiar with Acegi but after looking at the docs and examples it seems to be all URL based and relies on servlet filters for detecting authenticated pages. Acegi seems to rely on the URL format to say if a link requires a secure channel or not. Instead of tweaking links, I'd rather like to be able to configure it at the page level, this way I don't care how someone got on the page and I don't need to write specific Link components. Also this doesn't really need to be called an authentication mecanism but can also be implemented as somekind of generic interceptor interface that would allow to implement authentication transparently. > Provide basic authentication mecanisms > -------------------------------------- > > Key: TAPESTRY-936 > URL: http://issues.apache.org/jira/browse/TAPESTRY-936 > Project: Tapestry > Type: Improvement > Components: Framework > Versions: 4.1 > Reporter: Henri Dupre > > Several implementation details (creation of ICallbacks and page redirection) > make adding authentication to a tapestry application not a trivial task. > Page redirection can only be done in page validate thus making impossible to > capture the state of a page (for instance, properties + parameters of an > activateExternalPage). > After looking at the code, this has implications in the core of the engine > itself and making these changes might not be trivial. But instead of adding > features for generating ICallbacks and page redirection, why not directly > wire an authentication API inside the framework? > Here is a suggestion: > - provide a blank AuthenticatedPage interface or configuration that allows > pages to say that they require authentication > - provide a hivemind configuration point to plug an authentication service: > this service has methods to figure out if a user is authenticated or not and > also provides a page name that is called when a user is not authenticated > - the authentication pages have to implement a specific interface or another > mecanism that tell that the authentication process is finished (the process > might consist of several pages, e.g. new account creation) > - the engine takes care of the rest: before calling the authentication page, > a basic state is captured after the page is setup (all declared properties > are saved), and once the authentication process is finished, all that state > is restored and the page is called -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
