incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <>
Subject Re: Relevant Stripes patch
Date Thu, 27 Nov 2008 14:43:17 GMT
Harry --

With Stripes Interceptors, the way it works is that its intercept()  
method fires before, after, or during particular Stripes lifecycle  
stages. The Interceptor has a return type called Resolution, the two  
most common types of which are ForwardResolution and  
RedirectResolution.  If the Interceptor returns a Resolution, the  
controller (StripesFilter/Dispatcher) executes it. Otherwise,  
execution continues.

Security-type Interceptors typically emit Redirect or Forward  
Resolutions if access checks fail, or null (do nothing) if they succeed.

BTW, you can also check out WikiInterceptor in STRIPES_BRANCH to see  
how we're going to do it in 3.0.


On Nov 27, 2008, at 1:15, Harry Metske <> wrote:

> yes I have read about that but wasn't sure if it would help me.
> the important point thing you say here is "forward the user as  
> needed to a
> login or "unauthorized" page if the role check fails" with the  
> emphasis on
> login page.
> So if I understand it correctly, users that don't have an account  
> should
> still be able to use the "Read functions" that way.
> I'll have a look at it and see if I can make it work, thanks for the  
> help !
> regards,
> Harry
> 2008/11/27 Andrew Jaquith <>
>> I am not sure if this will be possible, but it seems to me that you  
>> should
>> not have to use multiple URLs for the scenario you described.
>> For role-based access to particular ActionBean methods, I recommend
>> annotating the handler methods (read, edit etc) with annotations  
>> that denote
>> the roles that are allowed to execute them. Then, you would provide  
>> an
>> Interceptor implementation that fires after event resolution but  
>> before
>> validation. The Interceptor's job would be to make the authorization
>> decision and forward the user as needed to a login or  
>> "unauthorized" page if
>> the role check fails.
>> This is actualy a pretty simple and elegant approach because you  
>> don't need
>> to modify ActionBeans, or use separate URL schemes, to do it. This
>> Interceptor-based approach is the strategy JSPWiki 3 takes.
>> There is a community-developed  SecurityInterceptor floating around  
>> on the
>> Stripes site somewhere. You should take a look at that first.
>> Regards,
>> Andrew
>> On Nov 26, 2008, at 16:01, Harry Metske <>  
>> wrote:
>> Andrew,
>>> will it then be possible to have more than one URL bound to the same
>>> ActionBean ?
>>> I ask because I currently work on a simple Stripes based CRUD  
>>> application,
>>> and I'm using the same ActionBean for all actions (Create, Read,  
>>> Update,
>>> Delete).
>>> I want read to be publicly available, but the others should be J2EE
>>> protected with a security-constraint.
>>> So would it be possible to have 2 URLs , like :
>>> /nonpub/MyActionBean
>>> /pub/MyActionBean
>>> Where only the first one is protected.
>>> Of course, there is some additional security checking required in  
>>> the
>>> ActionBean.
>>> regards,
>>> Harry
>>> 2008/11/26 Andrew Jaquith <>
>>> FYI --
>>>> Ben Gunter @ the Stripes project just committed a new enhancement  
>>>> that
>>>> I'd
>>>> requested in August, namely the ability to create ActionBean  
>>>> URLBindings
>>>> from arbitrary String patterns. It will ship in 1.5.1.
>>>> This is excellent news because it makes it possible for third  
>>>> parties
>>>> (like
>>>> us) to fairly easily create, for example, URLBinding patterns  
>>>> that are
>>>> read
>>>> from text files. This gives us an option for binding URLs to  
>>>> ActionBeans
>>>> other than the default method, which is to get them from class
>>>> annotations.
>>>> My intent is to create a FileActionResolver to do this, at a  
>>>> slightly
>>>> later
>>>> point in the 3.0 dev cycle.
>>>> For the Americans on this list -- happy Thanksgiving.
>>>> Andrew

View raw message