You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@turbine.apache.org by Finn Smith <fs...@nntllc.com> on 2001/08/22 22:28:40 UTC

security: isAuthorized not being execed?

I am trying to limit access to screens based on the parameters in the url.

e.g.

http://localhost/test/servlet/test/ViewData.vm/data/0

vs.

http://localhost/test/servlet/test/ViewData.vm/data/1


Some users are allowed to see '0' others are allowed to see '1'. So in the
isAuthorized() of the base secure screen the data parameter is checked
against the user to see if the user has access. If they don't have access
the screen template is set to an "access denied" template. All the (java)
screens inherit from this base secure screen.

However, this does not always work correctly. For instance, user Foo can
click on the link to let them view data 0. Then, say user Foo changes the
url in the browser to point to data 1, which should not be allowed. The data
loads, and a Log statement I have in the doBuildTemplate() of the class that
inherits from he secure screen appears. Thus, the doBuildTemplate() method
is executed without the isAuthorized() method being executed.

How can this happen? It seems semi-random, i.e. if I hit reload again,
sometimes I get the correct behavior.

Is it possible for a screen sub-class to have its doBuildTemplate() method
called without the secure super-class's isAuthorized() being called first?


Confused,
Finn


---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org

RE: security: isAuthorized not being execed?

Posted by Finn Smith <fs...@nntllc.com>.

* Finn Smith [fsmith@nntllc.com], August 22, 2001 4:29 PM
>
> Is it possible for a screen sub-class to have its doBuildTemplate() method
> called without the secure super-class's isAuthorized() being called first?

Okay. Chalk this one up to posting without spending enough time examining
the problem.

The cached copies from previous test runs in my browser were being loaded.
doBuildTemplate() was not being called. Having my browser refresh the page
every time it visited it fixed the problem.

Finn


---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org