incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janne Jalkanen <Janne.Jalka...@ecyrd.com>
Subject Re: Relevant Stripes patch
Date Thu, 27 Nov 2008 17:13:12 GMT

BTW, if we don't have any major bugs in 2.8.1 in the next week or so,  
I think we should start merging the Stripes stuff.  After that I can  
start committing the JCR stuff (which really needs some of the new  
classes to be available).

Yee-haw!  Let's break the trunk!

/Janne

On Nov 27, 2008, at 16:43 , Andrew Jaquith wrote:

> Harry --
>
> With Stripes Interceptors, the way it works is that its intercept()  
> method fires before, after, or during particular Stripes lifecycle  
> stages. The Interceptor has a return type called Resolution, the  
> two most common types of which are ForwardResolution and  
> RedirectResolution.  If the Interceptor returns a Resolution, the  
> controller (StripesFilter/Dispatcher) executes it. Otherwise,  
> execution continues.
>
> Security-type Interceptors typically emit Redirect or Forward  
> Resolutions if access checks fail, or null (do nothing) if they  
> succeed.
>
> BTW, you can also check out WikiInterceptor in STRIPES_BRANCH to  
> see how we're going to do it in 3.0.
>
> Andrew
>
>
> On Nov 27, 2008, at 1:15, Harry Metske <harry.metske@gmail.com> wrote:
>
>> yes I have read about that but wasn't sure if it would help me.
>> the important point thing you say here is "forward the user as  
>> needed to a
>> login or "unauthorized" page if the role check fails" with the  
>> emphasis on
>> login page.
>> So if I understand it correctly, users that don't have an account  
>> should
>> still be able to use the "Read functions" that way.
>>
>> I'll have a look at it and see if I can make it work, thanks for  
>> the help !
>>
>> regards,
>> Harry
>>
>> 2008/11/27 Andrew Jaquith <andrew.jaquith@me.com>
>>
>>> I am not sure if this will be possible, but it seems to me that  
>>> you should
>>> not have to use multiple URLs for the scenario you described.
>>>
>>> For role-based access to particular ActionBean methods, I recommend
>>> annotating the handler methods (read, edit etc) with annotations  
>>> that denote
>>> the roles that are allowed to execute them. Then, you would  
>>> provide an
>>> Interceptor implementation that fires after event resolution but  
>>> before
>>> validation. The Interceptor's job would be to make the authorization
>>> decision and forward the user as needed to a login or  
>>> "unauthorized" page if
>>> the role check fails.
>>>
>>> This is actualy a pretty simple and elegant approach because you  
>>> don't need
>>> to modify ActionBeans, or use separate URL schemes, to do it. This
>>> Interceptor-based approach is the strategy JSPWiki 3 takes.
>>>
>>> There is a community-developed  SecurityInterceptor floating  
>>> around on the
>>> Stripes site somewhere. You should take a look at that first.
>>>
>>> Regards,
>>>
>>> Andrew
>>>
>>>
>>> On Nov 26, 2008, at 16:01, Harry Metske <harry.metske@gmail.com>  
>>> wrote:
>>>
>>> Andrew,
>>>>
>>>> will it then be possible to have more than one URL bound to the  
>>>> same
>>>> ActionBean ?
>>>> I ask because I currently work on a simple Stripes based CRUD  
>>>> application,
>>>> and I'm using the same ActionBean for all actions (Create, Read,  
>>>> Update,
>>>> Delete).
>>>> I want read to be publicly available, but the others should be J2EE
>>>> protected with a security-constraint.
>>>> So would it be possible to have 2 URLs , like :
>>>> /nonpub/MyActionBean
>>>> /pub/MyActionBean
>>>> Where only the first one is protected.
>>>> Of course, there is some additional security checking required  
>>>> in the
>>>> ActionBean.
>>>>
>>>> regards,
>>>> Harry
>>>>
>>>> 2008/11/26 Andrew Jaquith <andrew.jaquith@me.com>
>>>>
>>>> FYI --
>>>>>
>>>>> Ben Gunter @ the Stripes project just committed a new  
>>>>> enhancement that
>>>>> I'd
>>>>> requested in August, namely the ability to create ActionBean  
>>>>> URLBindings
>>>>> from arbitrary String patterns. It will ship in 1.5.1.
>>>>>
>>>>> This is excellent news because it makes it possible for third  
>>>>> parties
>>>>> (like
>>>>> us) to fairly easily create, for example, URLBinding patterns  
>>>>> that are
>>>>> read
>>>>> from text files. This gives us an option for binding URLs to  
>>>>> ActionBeans
>>>>> other than the default method, which is to get them from class
>>>>> annotations.
>>>>> My intent is to create a FileActionResolver to do this, at a  
>>>>> slightly
>>>>> later
>>>>> point in the 3.0 dev cycle.
>>>>>
>>>>> For the Americans on this list -- happy Thanksgiving.
>>>>>
>>>>> Andrew
>>>>>
>>>>>
>>>


Mime
View raw message