incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.jaqu...@me.com>
Subject Re: Relevant Stripes patch
Date Thu, 27 Nov 2008 20:40:56 GMT
Sounds good -- I've got a few more issues to iron out with the current  
refactorings, and once I get 'em solved, I'll start committing.

On Nov 27, 2008, at 12:13, Janne Jalkanen <Janne.Jalkanen@ecyrd.com>  
wrote:

>
> BTW, if we don't have any major bugs in 2.8.1 in the next week or  
> so, I think we should start merging the Stripes stuff.  After that I  
> can start committing the JCR stuff (which really needs some of the  
> new classes to be available).
>
> Yee-haw!  Let's break the trunk!
>
> /Janne
>
> On Nov 27, 2008, at 16:43 , Andrew Jaquith wrote:
>
>> Harry --
>>
>> With Stripes Interceptors, the way it works is that its intercept()  
>> method fires before, after, or during particular Stripes lifecycle  
>> stages. The Interceptor has a return type called Resolution, the  
>> two most common types of which are ForwardResolution and  
>> RedirectResolution.  If the Interceptor returns a Resolution, the  
>> controller (StripesFilter/Dispatcher) executes it. Otherwise,  
>> execution continues.
>>
>> Security-type Interceptors typically emit Redirect or Forward  
>> Resolutions if access checks fail, or null (do nothing) if they  
>> succeed.
>>
>> BTW, you can also check out WikiInterceptor in STRIPES_BRANCH to  
>> see how we're going to do it in 3.0.
>>
>> Andrew
>>
>>
>> On Nov 27, 2008, at 1:15, Harry Metske <harry.metske@gmail.com>  
>> wrote:
>>
>>> yes I have read about that but wasn't sure if it would help me.
>>> the important point thing you say here is "forward the user as  
>>> needed to a
>>> login or "unauthorized" page if the role check fails" with the  
>>> emphasis on
>>> login page.
>>> So if I understand it correctly, users that don't have an account  
>>> should
>>> still be able to use the "Read functions" that way.
>>>
>>> I'll have a look at it and see if I can make it work, thanks for  
>>> the help !
>>>
>>> regards,
>>> Harry
>>>
>>> 2008/11/27 Andrew Jaquith <andrew.jaquith@me.com>
>>>
>>>> I am not sure if this will be possible, but it seems to me that  
>>>> you should
>>>> not have to use multiple URLs for the scenario you described.
>>>>
>>>> For role-based access to particular ActionBean methods, I recommend
>>>> annotating the handler methods (read, edit etc) with annotations  
>>>> that denote
>>>> the roles that are allowed to execute them. Then, you would  
>>>> provide an
>>>> Interceptor implementation that fires after event resolution but  
>>>> before
>>>> validation. The Interceptor's job would be to make the  
>>>> authorization
>>>> decision and forward the user as needed to a login or  
>>>> "unauthorized" page if
>>>> the role check fails.
>>>>
>>>> This is actualy a pretty simple and elegant approach because you  
>>>> don't need
>>>> to modify ActionBeans, or use separate URL schemes, to do it. This
>>>> Interceptor-based approach is the strategy JSPWiki 3 takes.
>>>>
>>>> There is a community-developed  SecurityInterceptor floating  
>>>> around on the
>>>> Stripes site somewhere. You should take a look at that first.
>>>>
>>>> Regards,
>>>>
>>>> Andrew
>>>>
>>>>
>>>> On Nov 26, 2008, at 16:01, Harry Metske <harry.metske@gmail.com>  
>>>> wrote:
>>>>
>>>> Andrew,
>>>>>
>>>>> will it then be possible to have more than one URL bound to the  
>>>>> same
>>>>> ActionBean ?
>>>>> I ask because I currently work on a simple Stripes based CRUD  
>>>>> application,
>>>>> and I'm using the same ActionBean for all actions (Create, Read,  
>>>>> Update,
>>>>> Delete).
>>>>> I want read to be publicly available, but the others should be  
>>>>> J2EE
>>>>> protected with a security-constraint.
>>>>> So would it be possible to have 2 URLs , like :
>>>>> /nonpub/MyActionBean
>>>>> /pub/MyActionBean
>>>>> Where only the first one is protected.
>>>>> Of course, there is some additional security checking required  
>>>>> in the
>>>>> ActionBean.
>>>>>
>>>>> regards,
>>>>> Harry
>>>>>
>>>>> 2008/11/26 Andrew Jaquith <andrew.jaquith@me.com>
>>>>>
>>>>> FYI --
>>>>>>
>>>>>> Ben Gunter @ the Stripes project just committed a new  
>>>>>> enhancement that
>>>>>> I'd
>>>>>> requested in August, namely the ability to create ActionBean  
>>>>>> URLBindings
>>>>>> from arbitrary String patterns. It will ship in 1.5.1.
>>>>>>
>>>>>> This is excellent news because it makes it possible for third  
>>>>>> parties
>>>>>> (like
>>>>>> us) to fairly easily create, for example, URLBinding patterns  
>>>>>> that are
>>>>>> read
>>>>>> from text files. This gives us an option for binding URLs to  
>>>>>> ActionBeans
>>>>>> other than the default method, which is to get them from class
>>>>>> annotations.
>>>>>> My intent is to create a FileActionResolver to do this, at a  
>>>>>> slightly
>>>>>> later
>>>>>> point in the 3.0 dev cycle.
>>>>>>
>>>>>> For the Americans on this list -- happy Thanksgiving.
>>>>>>
>>>>>> Andrew
>>>>>>
>>>>>>
>>>>
>

Mime
View raw message