Tuesday, November 14, 2006

Something to Remember with Generic Authentication

So before bed last night I thought I'd be clever with my WebApplication and require authentication for all instances of WebPage.class. It seemed to work at the time, but that was because I had already logged in, so the required stuff was already in my session.

The problem is that redirecting to Signin.class means redirecting to a WebPage, and that web page comes under the control of the same WebApplication that demands having authentication for all WebPages. You can imagine what happens. If you can't, I'll tell you: an infinite redirect, as it demands authentication for the authentication form.

The nice solution to this is to create a subclass of WebPage, call it AuthenticatedWebPage, implement all of its constructors to call super(...) and make the pages that require authentication extend AuthenticatedWebPage instead of WebPage, and configure the SigninAuthorizationStrategy class to work on classes that are assignable from AuthenticatedWebPage.

(Naturally Signin should not extend AuthenticatedWebPage.)


Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]