You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by di...@bgs-ag.de on 2009/09/23 11:54:09 UTC
Proceeding after failed authorization checks
Hi!
I want to protect some pages based on the user groups the user is a member
of.
I have some partial success using
http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess
For the annotation @Private used there, I defined a parameter indicating
the user group that is allowed to access the page.
In the howto, if a user that is not logged in tries to access a private
page, the login page is shown (which may or may not be a sufficient
solution there), using response.sendRedirect().
In my case, the user may be logged in but not as a member of the right
group. So, ideally, I'd like to present a page with some message with a
"back" link to the previously displayed application page or, if the page
was directly called, with the application start page.
The first problem is passing a message text to the message display page.
The first thing that came to my mind was a FLASH-persisted field, but as
the authorization-checking logic is in a Dispatcher, I cannot use this. I
could use the ApplicationStateManager to put some global object into the
session, but this doesn't seem right. How should I display a message to
the user?
The second problem is the link to the originating or to the start page. Is
this possible? Preferrably without javascript?
Thank you,
Dirk
BGS Beratungsgesellschaft
Software Systemplanung AG
Niederlassung Köln/Bonn
Grantham-Allee 2-8
53757 Sankt Augustin
Fon: +49 (0) 2241 / 166-500
Fax: +49 (0) 2241 / 166-680
www.bgs-ag.de
Geschäftssitz Mainz
Registergericht
Amtsgericht Mainz
HRB 62 50
Aufsichtsratsvorsitzender
Klaus Hellwig
Vorstand
Hermann Kiefer
Nils Manegold
Thomas Reitz
Antwort: Re: Proceeding after failed authorization checks
Posted by di...@bgs-ag.de.
"Thiago H. de Paula Figueiredo" <th...@gmail.com> schrieb am 23.09.2009
13:20:21:
> Hi!
>
> > In the howto, if a user that is not logged in tries to access a
private
> > page, the login page is shown (which may or may not be a sufficient
> > solution there), using response.sendRedirect().
> > In my case, the user may be logged in but not as a member of the
right
> > group. So, ideally, I'd like to present a page with some message with
a
> > "back" link to the previously displayed application page or, if the
page
> > was directly called, with the application start page.
>
> My approach was to define an exception hierarchy (AuthorizationException
> and some subclasses) and throw one of them in my dispatcher. Then, in my
> error page, I handle it apropriately. No javaScript, no use of session.
:)
Oh, my. Thanks! Sometimes it is hard to see old friends when new
technology hits in.
It simply didn't come to my mind to use Exceptions to pass information
from the dispatcher to the error page.
As for the back button, I think I might use a SSO that every page can set
to signal to
the error page where to link the "back" (or "continue") button to.
Thanks again,
Dirk
BGS Beratungsgesellschaft
Software Systemplanung AG Niederlassung Köln/Bonn
Grantham-Allee 2-8
53757 Sankt Augustin
Fon: +49 (0) 2241 / 166-500
Fax: +49 (0) 2241 / 166-680
www.bgs-ag.de Geschäftssitz Mainz
Registergericht
Amtsgericht Mainz
HRB 62 50
Aufsichtsratsvorsitzender
Klaus Hellwig
Vorstand
Hermann Kiefer
Nils Manegold
Thomas Reitz
Re: Proceeding after failed authorization checks
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
Em Wed, 23 Sep 2009 06:54:09 -0300, <di...@bgs-ag.de> escreveu:
> Hi!
Hi!
> In the howto, if a user that is not logged in tries to access a private
> page, the login page is shown (which may or may not be a sufficient
> solution there), using response.sendRedirect().
> In my case, the user may be logged in but not as a member of the right
> group. So, ideally, I'd like to present a page with some message with a
> "back" link to the previously displayed application page or, if the page
> was directly called, with the application start page.
My approach was to define an exception hierarchy (AuthorizationException
and some subclasses) and throw one of them in my dispatcher. Then, in my
error page, I handle it apropriately. No javaScript, no use of session. :)
--
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org