Re: Overriding pageWithName
Re: Overriding pageWithName
- Subject: Re: Overriding pageWithName
- From: Chuck Hill <email@hidden>
- Date: Tue, 20 Jan 2004 15:05:00 -0800
- Organization: Global Village Consulting, Inc.
arturo wrote:
----- Original Message -----
From: "Chuck Hill" <email@hidden>
That way, I just need to override/subclass WOComponent's pageWithName.
I've done a fair bit of this. What are you trying to do?
I'm trying to bridge the worlds of JAAS and WO. A somewhat generic
framework for using the JAAS permission model within a WO application.
I looked at that. The part of JAAS (authentication) I looked at made
my hair stand on end.
I just reread David Neumann's WebObject and Security pdf from WWDC 2000.
His advice (override WOComponent.appendToResponse and
WODirectAction.performActionNamed()) don't seem secure enough to me. That
is, using his method, in order to remove the security from a secure
WOComponent you just need to re-override appendToResponse.
I don't think so. If you override appendToResponse and don't call
super (to avoid the security check) then you don't get anything
rendered. A null response is pretty secure. :-) You can't user
super.super.appendToResponse to jump over it either. I suppose you
could re-implement it, but that would be a lot of effort.
So, to me, what I'd like to do is JAAS-ify pageWithName. But I firmly
believe that the responsibility for securing a component should be up to the
WOComponent. This makes it more useful in that I can add secure components
to an already existing application. So I don't want to subclass
WOApplication.
This sounds a little like a job for AOP...
You could also try something like this in Application:
public WOComponent pageWithName(String s, WOContext c) {
WOComponent page = super.pageWithName(s, c);
if (page instanceof JAASPage) {
JAASPage securePage = (JAASPage) page;
if ( !
securePage.canBeAccessedBy((Session)c.session()).currentUser()) {
page = pageWithName("AccessViolation", c);
}
return page;
}
Perhaps I should just stick to JAAS-ifying the constructor. But that falls
afoul of stateless components.
Well, I can ramble quite a bit about this. But, to my mind, the trick is to
make a non-overrideable method that does the accesscontroller
checkpermission call. Without reducing the flexibility of WO (that is, I
can make appendToResponse()
final but that would make it useless).
Interesting topic.
Chuck
--
Chuck Hill email@hidden
Global Village Consulting Inc. http://www.global-village.net
It is a funny thing about life; if you refuse to accept
anything but the best, you very often get it."
-- W. Somerset Maugham
<shamelessPlug>
Practical WebObjects
http://www.amazon.com/exec/obidos/tg/detail/-/1590592964
</shamelessPlug>
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.