incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janne Jalkanen <Janne.Jalka...@ecyrd.com>
Subject Re: Relevant Stripes patch
Date Thu, 27 Nov 2008 22:07:46 GMT

...and frankly, I don't mind if there's code-in-progress in the  
trunk.  The trunk does not have to be particularly stable anyway.

/Janne

On Nov 27, 2008, at 22:40 , Andrew Jaquith wrote:

> Sounds good -- I've got a few more issues to iron out with the  
> current refactorings, and once I get 'em solved, I'll start  
> committing.
>
> On Nov 27, 2008, at 12:13, Janne Jalkanen  
> <Janne.Jalkanen@ecyrd.com> wrote:
>
>>
>> BTW, if we don't have any major bugs in 2.8.1 in the next week or  
>> so, I think we should start merging the Stripes stuff.  After that  
>> I can start committing the JCR stuff (which really needs some of  
>> the new classes to be available).
>>
>> Yee-haw!  Let's break the trunk!
>>
>> /Janne
>>
>> On Nov 27, 2008, at 16:43 , Andrew Jaquith wrote:
>>
>>> Harry --
>>>
>>> With Stripes Interceptors, the way it works is that its intercept 
>>> () method fires before, after, or during particular Stripes  
>>> lifecycle stages. The Interceptor has a return type called  
>>> Resolution, the two most common types of which are  
>>> ForwardResolution and RedirectResolution.  If the Interceptor  
>>> returns a Resolution, the controller (StripesFilter/Dispatcher)  
>>> executes it. Otherwise, execution continues.
>>>
>>> Security-type Interceptors typically emit Redirect or Forward  
>>> Resolutions if access checks fail, or null (do nothing) if they  
>>> succeed.
>>>
>>> BTW, you can also check out WikiInterceptor in STRIPES_BRANCH to  
>>> see how we're going to do it in 3.0.
>>>
>>> Andrew
>>>
>>>
>>> On Nov 27, 2008, at 1:15, Harry Metske <harry.metske@gmail.com>  
>>> wrote:
>>>
>>>> yes I have read about that but wasn't sure if it would help me.
>>>> the important point thing you say here is "forward the user as  
>>>> needed to a
>>>> login or "unauthorized" page if the role check fails" with the  
>>>> emphasis on
>>>> login page.
>>>> So if I understand it correctly, users that don't have an  
>>>> account should
>>>> still be able to use the "Read functions" that way.
>>>>
>>>> I'll have a look at it and see if I can make it work, thanks for  
>>>> the help !
>>>>
>>>> regards,
>>>> Harry
>>>>
>>>> 2008/11/27 Andrew Jaquith <andrew.jaquith@me.com>
>>>>
>>>>> I am not sure if this will be possible, but it seems to me that  
>>>>> you should
>>>>> not have to use multiple URLs for the scenario you described.
>>>>>
>>>>> For role-based access to particular ActionBean methods, I  
>>>>> recommend
>>>>> annotating the handler methods (read, edit etc) with  
>>>>> annotations that denote
>>>>> the roles that are allowed to execute them. Then, you would  
>>>>> provide an
>>>>> Interceptor implementation that fires after event resolution  
>>>>> but before
>>>>> validation. The Interceptor's job would be to make the  
>>>>> authorization
>>>>> decision and forward the user as needed to a login or  
>>>>> "unauthorized" page if
>>>>> the role check fails.
>>>>>
>>>>> This is actualy a pretty simple and elegant approach because  
>>>>> you don't need
>>>>> to modify ActionBeans, or use separate URL schemes, to do it. This
>>>>> Interceptor-based approach is the strategy JSPWiki 3 takes.
>>>>>
>>>>> There is a community-developed  SecurityInterceptor floating  
>>>>> around on the
>>>>> Stripes site somewhere. You should take a look at that first.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Andrew
>>>>>
>>>>>
>>>>> On Nov 26, 2008, at 16:01, Harry Metske  
>>>>> <harry.metske@gmail.com> wrote:
>>>>>
>>>>> Andrew,
>>>>>>
>>>>>> will it then be possible to have more than one URL bound to  
>>>>>> the same
>>>>>> ActionBean ?
>>>>>> I ask because I currently work on a simple Stripes based CRUD  
>>>>>> application,
>>>>>> and I'm using the same ActionBean for all actions (Create,  
>>>>>> Read, Update,
>>>>>> Delete).
>>>>>> I want read to be publicly available, but the others should be  
>>>>>> J2EE
>>>>>> protected with a security-constraint.
>>>>>> So would it be possible to have 2 URLs , like :
>>>>>> /nonpub/MyActionBean
>>>>>> /pub/MyActionBean
>>>>>> Where only the first one is protected.
>>>>>> Of course, there is some additional security checking required  
>>>>>> in the
>>>>>> ActionBean.
>>>>>>
>>>>>> regards,
>>>>>> Harry
>>>>>>
>>>>>> 2008/11/26 Andrew Jaquith <andrew.jaquith@me.com>
>>>>>>
>>>>>> FYI --
>>>>>>>
>>>>>>> Ben Gunter @ the Stripes project just committed a new  
>>>>>>> enhancement that
>>>>>>> I'd
>>>>>>> requested in August, namely the ability to create ActionBean
 
>>>>>>> URLBindings
>>>>>>> from arbitrary String patterns. It will ship in 1.5.1.
>>>>>>>
>>>>>>> This is excellent news because it makes it possible for third
 
>>>>>>> parties
>>>>>>> (like
>>>>>>> us) to fairly easily create, for example, URLBinding patterns
 
>>>>>>> that are
>>>>>>> read
>>>>>>> from text files. This gives us an option for binding URLs to
 
>>>>>>> ActionBeans
>>>>>>> other than the default method, which is to get them from class
>>>>>>> annotations.
>>>>>>> My intent is to create a FileActionResolver to do this, at a
 
>>>>>>> slightly
>>>>>>> later
>>>>>>> point in the 3.0 dev cycle.
>>>>>>>
>>>>>>> For the Americans on this list -- happy Thanksgiving.
>>>>>>>
>>>>>>> Andrew
>>>>>>>
>>>>>>>
>>>>>
>>


Mime
View raw message