24 Sep
2009
24 Sep
'09
2:09 a.m.
I have some questions, but let me put what I've discovered in here too,
for the record. Also, you can correct me if I'm wrong!
On Wed, 2009-09-23 at 08:47 +0200, Lukas Renggli wrote:
Very useful.
Once they login, are they taken to the page they were trying to reach
originally?
Thanks.
Ross
Can anyone
give me any pointers about how security works in pier? In
particular, if I make my own components, how do I apply security to
them?
You can find some documentation in Section 3.5.3 in
http://scg.unibe.ch/archive/masters/Reng06a.pdf.
> I've been browsing around and tracing the code and see that the security
> descriptors end up as decorations which apply to objectified commands.
> However, I don't know what I need to do to set the security of an object
> or fiddle with the security policy.
A little more tracing reveals that when
children are added to a
structure all concrete decoration classes are given a chance to do
something to the child. The security decorator copies from the parent,
which in turn triggers the creation of a security descriptor, using the
current context for user and group, on the page.
I also learned that the children of a PRStructure are kept in a child
decorator; that was not what I would have guessed.
You can only apply the security decorations to subclasses of
PRStructure (these are the objects that represent a unique URL or
entry point into your application), not to arbitrary objects (out of
the box, at least).
I'm thinking of having a page with a central area that gets swapped
according to what the user is doing; the other material on the page
would stay. Does that mean there's really only one security decoration
that is relevant? Or does it mean the children are individually
addressable (e.g., elements of a list)?
Also, I wonder if I need any security other than ensuring someone is
logged in. A user will only be presented links to stuff that is
relevant (and allowed) for them. Does adding security to the objects
add any additional security (e.g., perhaps against attempts to
manipulate the URL)?
Finally, in case I do need security, is the ACL based framework still
around? It's probably more appropriate for the scenarios I have in
mind.
Also, if someone comes in from the outside with a
link like
http://my.host.com/seaside/pier/personalpreferences, is there a way I
can ensure that they will be prompted for login and then taken to a
preferences page for them?
The PRForbiddenView is displayed (with a link to the login page). This
is currently hardcoded into the "Pier-Interpreter", but could probably
be moved to the structures so that they can decide to do something
else, if necessary.