You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by di...@bgs-ag.de on 2009/09/23 11:54:09 UTC

Proceeding after failed authorization checks

Hi!

I want to protect some pages based on the user groups the user is a member 
of.
I have some partial success using

http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess

For the annotation @Private used there, I defined a parameter indicating 
the user group that is allowed to access the page.

In the howto, if a user that is not logged in tries to access a private 
page, the login page is shown (which may or may not be a sufficient 
solution there), using response.sendRedirect().
In my case, the user may be  logged in but not as a member of the right 
group. So, ideally, I'd like to present a page with some message with a 
"back" link to the previously displayed application page or, if the page 
was directly called, with the application start page.

The first problem is passing a message text to the message display page. 
The first thing that came to my mind was a FLASH-persisted field, but as 
the authorization-checking logic is in a Dispatcher, I cannot use this. I 
could use the ApplicationStateManager to put some global object into the 
session, but this doesn't seem right. How should I display a message to 
the user?

The second problem is the link to the originating or to the start page. Is 
this possible? Preferrably without javascript?

Thank you,
Dirk

BGS Beratungsgesellschaft 
Software Systemplanung AG 
  
  
  
  
Niederlassung Köln/Bonn 
Grantham-Allee 2-8 
53757 Sankt Augustin 
Fon: +49 (0) 2241 / 166-500 
Fax: +49 (0) 2241 / 166-680 
www.bgs-ag.de 
Geschäftssitz Mainz 
Registergericht 
Amtsgericht Mainz 
HRB 62 50 
  
Aufsichtsratsvorsitzender 
Klaus Hellwig 
Vorstand 
Hermann Kiefer 
Nils Manegold 
Thomas Reitz

Antwort: Re: Proceeding after failed authorization checks

Posted by di...@bgs-ag.de.

"Thiago H. de Paula Figueiredo" <th...@gmail.com> schrieb am 23.09.2009 
13:20:21:

> Hi!
> 
> > In the howto, if a user that is not logged in tries to access a 
private
> > page, the login page is shown (which may or may not be a sufficient
> > solution there), using response.sendRedirect().
> > In my case, the user may be  logged in but not as a member of the 
right
> > group. So, ideally, I'd like to present a page with some message with 
a
> > "back" link to the previously displayed application page or, if the 
page
> > was directly called, with the application start page.
> 
> My approach was to define an exception hierarchy (AuthorizationException 
 
> and some subclasses) and throw one of them in my dispatcher. Then, in my 
 
> error page, I handle it apropriately.  No javaScript, no use of session. 
:)

Oh, my. Thanks! Sometimes it is hard to see old friends when new 
technology hits in.
It simply didn't come to my mind to use Exceptions to pass information 
from the dispatcher to the error page.

As for the back button, I think I might use a SSO that every page can set 
to signal to
the error page where to link the "back" (or "continue") button to.

Thanks again,
Dirk

BGS Beratungsgesellschaft 
Software Systemplanung AG         Niederlassung Köln/Bonn 
Grantham-Allee 2-8 
53757 Sankt Augustin 
Fon: +49 (0) 2241 / 166-500 
Fax: +49 (0) 2241 / 166-680 
www.bgs-ag.de Geschäftssitz Mainz 
Registergericht 
Amtsgericht Mainz 
HRB 62 50 
  Aufsichtsratsvorsitzender 
Klaus Hellwig 
Vorstand 
Hermann Kiefer 
Nils Manegold 
Thomas Reitz

Re: Proceeding after failed authorization checks

Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.

Em Wed, 23 Sep 2009 06:54:09 -0300, <di...@bgs-ag.de> escreveu:

> Hi!

Hi!

> In the howto, if a user that is not logged in tries to access a private
> page, the login page is shown (which may or may not be a sufficient
> solution there), using response.sendRedirect().
> In my case, the user may be  logged in but not as a member of the right
> group. So, ideally, I'd like to present a page with some message with a
> "back" link to the previously displayed application page or, if the page
> was directly called, with the application start page.

My approach was to define an exception hierarchy (AuthorizationException  
and some subclasses) and throw one of them in my dispatcher. Then, in my  
error page, I handle it apropriately.  No javaScript, no use of session. :)

-- 
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org