Andreas, I'm using a custom hivemind interceptor on the major service-points' 'service' method that checks for authentication and redirects to the login page if none exists.
The only problem (and it's a big one) is that the page isn't set up when the interceptor runs. I can get to the page name via the parameters (and therefore check to see if that particular page needs protection) but can't call any method on the page that need access to properties. That means I can't use external pages or some other more sophisticated callback until the ability to force a page setup (TAPESTRY-892) is added to tapestry. I like the approach because it centralizes authentication and prevents individual page authors from having to worry about it. It does have its own issues, though. -Mike On 4/8/06, Andreas Bulling <[EMAIL PROTECTED]> wrote: > Hi folks, > > this time I have a design-related question and I hope to get > useful feedback for myself and hopefully also for others > following this list. > > What is in your opinion or from your experience the best > way to implement some sort of security layer in a > Tapestry/Hivemind/Hibernate based webapplication? > I'm thinking of a facility responsible for access control > checks on persistent domain objects (for example if a > person is allowed to read/delete/update a certain domain > object). > > What about the Hibernate Interceptors, the Hibernate Event > interface, perhaps a self-coded Hivemind interceptor solution, > some Tapestry stuff I don't know? How did you solve this > problem? > > I'm really looking forward to all of your answers! ;) > > Kind regards, > Andreas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
