Securing a the form submission, but no the page.

[Richard Bolkey <rb...@gmail.com>]

Hi all,

Been trying to figure out the best way to hook up a means to secure the
action of a form without securing the page itself (weird requirement I know,
but alas).

Overriding RequestSecurityManager doesn't seem to be the right approach
because getBaseUrl() lacks any context other than the active page name.

Referencing a Form in an injected page containing the Secure annotation
won't help because the link is generated for the active page and not the
containing page.

UrlRewriterRules don't seem to work because I don't have access to anything
before the server name (can't set https://).

Any suggestions or other approaches?  Am I missing something?

Thanks,
Rick

Re: Securing a the form submission, but no the page.

[Carl Crowder <ca...@taptu.com>]

Perhaps you could move common stuff into a base class and have two pages 
- the first form page, and the submission page. Set the action to point 
at the secure one.

There's probably a better way though.

Richard Bolkey wrote:
> Hi all,
> 
> Been trying to figure out the best way to hook up a means to secure the
> action of a form without securing the page itself (weird requirement I know,
> but alas).
> 
> Overriding RequestSecurityManager doesn't seem to be the right approach
> because getBaseUrl() lacks any context other than the active page name.
> 
> Referencing a Form in an injected page containing the Secure annotation
> won't help because the link is generated for the active page and not the
> containing page.
> 
> UrlRewriterRules don't seem to work because I don't have access to anything
> before the server name (can't set https://).
> 
> Any suggestions or other approaches?  Am I missing something?
> 
> Thanks,
> Rick
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org