You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Vjeran Marcinko <vj...@email.t-com.hr> on 2009/11/08 17:22:46 UTC
Suggestion for instance-based authorization?
Hello all,
I have a T5 app that have typical security restriction to some pages based
on role, but also based on domain-specific instances that can be resolved
from request parameters.
For example, request to web page ShowDocument that accepts "documentID" as
parameter can be allowed only to users with ROOT role, or user with CUSTOMER
role *only if it is THE customer who created this document*, meaning, I have
to resolve document's customer and compare it to logged in user inside
HttpSession to check if he's authorized.
Since page-specific request parameters are set inside each T5 page via
"activate" event, the only time to perform authorization would be after
that. It would be best if there can be some new event plugged in request
pipeline, that would be fired right after "activate" event, and where I
could perform some page-specific authorization, and return login page if not
authorized. Is this possible to do now somehow?
Or some other suggestion?
BR,
Vjeran
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Suggestion for instance-based authorization?
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
Em Sun, 08 Nov 2009 14:22:46 -0200, Vjeran Marcinko
<vj...@email.t-com.hr> escreveu:
> Hello all,
Hi!
> I have a T5 app that have typical security restriction to some pages
> based on role, but also based on domain-specific instances that can be
> resolved from request parameters.
I implemented by inside my Tapestry CRUD
(http://www.arsmachina.com.br/project/tapestrycrud) package in its 1.1
branch). Warning: very outdated documentation. Every attempt to view,
edit, remove or list objects is checked against an authorization service
(from my Generic Authorization Package, used in production but not
released yet).
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, software architect and developer, Ars Machina Tecnologia da
Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org