New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding @PageAuthorize page state. #215
Conversation
This gives an opportunity for "gatekeeping" pages asynchronously. @PageAuthorize void onAuthorize(NavigationControl control) { myService.call(hasAccess -> { if(hasAccess) { // We have access, proceed with navigation. control.proceed(); } else { // Interrupt navigation and redirect. control.interrupt(); redirectPageTo.go(); } }).hasAccess(modelId, userId); }
Can one of the admins verify this PR? Comment with 'ok to test' to start the build. |
Hi @BenDol, I had been meaning to respond to your forum post, but clearly you were too quick for me ;) First let me say that I like this feature. Your changes are easy to understand, and thank you for adding javadoc and a license header to the new file you created! That being said, there are some things I think we should change before merging this. Here are some of my concerns:
Cheers. |
Hi @mbarkley, thanks for the response. I will address the points made here:
Cheers. |
@mbarkley Thoughts? |
Hi @BenDol, Let me respond to your previous comment point by point.
If you agree with my suggestions, then I can review the PR again once you've had time to update it. |
…ion id). Revert change to HttpSessionWrapper. Don't store SessionContainer in session anymore. Keep map of SessionContainers instead.
CSRF protection on message bus servlets is enabled by property. Enabling the property creates a CSRF token on the first POST request to the server bus. The token can be written to an HTML page as a JavaScript variable with a filter, or else the client can acquire it from a challenge from the server (a 403 response containing the token as a header). There is also a filter that protects REST endpoints using the same token. When an Errai REST caller finds the token in a global JavaScript variable, it will set this as a header for all REST requests. Errai REST callers will also retry after a challenge from the server (403 + token in header).
Previously a @PreDestroy would be called but @ApplicationScoped instance would remain in service.
Continued here #224 |
This gives an opportunity for "gatekeeping" pages asynchronously.