[Seaside] Seaside Login and so on

Julian Fitzell julian at beta4.com
Tue Aug 5 12:11:01 CEST 2003 

Giovanni Giorgi wrote:
> Hi all!
>    I am developing a small apllication using seaside: I love it!!
> I am a newbie to seaside but I know SmallTalk  well.
> 
> I have started to authenticate my users using the same idea used in the 
> seaside admin "webapp".
> I have defined a
>    MySession>>authenticateUser:password:
> and it is fine.
> I have also a CalledWAComponent which is called form the main webapp.
> 
> But now I'd like to implement the classical login/logout process found 
> on a lot of site.
> I'd like to show a login/password box as the first page.
> It is trivial to do it with a special  WAComponent subclass but...how 
> can I guarantee nobody can invoke directly my CalledWAComponent and 
> bypassing the password?
> 
> Must I check the session in EVERY CalledWAComponent? This is a bit 
> boring :)
> 
> Can you give me some ideas?
> Thank you!


Hi Giovanni,

First off, I'm not quite sure what you mean about directly invoking a 
component: you can only enter a seaside application via a defined entry 
point - so unless you have an entry point for that component nobody will 
be able to enter it directly.

As for solving this problem, you probably want a custom subclass of 
WASession that keeps track of the current user.  Then any component can 
ask the session for the current user when determining what content to 
show.  The session subclass would also have methods for performing 
authentication.

If you wanted to use HTTP basic auth or cookies or some other kind of 
authentication that was provided on every request, you would probably 
add a filter that would perform the authentication, but since you're 
talking about using an HTML form, I won't go into details on this.

If you wanted to have the whole site or a particular subcomponent of the 
site password protected you could wrap it in an authentication component 
(this is what we do at work).  This component would check the session to 
see if a user was set.  If a user it set it displays its contents.  If a 
user is not set, it displays a login form instead - the action on the 
form would perform authentication with the session and allow the 
authentication component to redraw itself.

--------------------
AuthenticationFrame>>renderContentOn: html
   self session isAuthenticated
     ifFalse:
       [html form:
         [html text: 'Login: '.
         html textInputOn: #username of: self; break.
         html text: 'Password: '.
         html passwordInputOn: #password of: self; break.
         html submitButtonWithAction: [self authenticate] text: 'Log In']]
     ifTrue: [self render: contents].

AuthenticationFrame>>authenticate
     self session authenticateUser: self username withPassword: self 
password.

     "Remember the username in the form for later but clear the password"

     self password: ''.
---------------------

After #authenticate runs, the authentication frame will be redrawn.  If 
the authentication was successful, the component will show its contents 
this time.  If not, it will display the login form again with the 
username still filled in.

There are many variations of course.  You could have a little component 
in a sidebar that displayed the login form and did the authentication 
with the session but didn't actually contain any other content.  Then 
you'd have to have your other components check for an authenticated user 
themselves.  They could also get the current user from the session to 
display their name, or get their preferences or permissions, etc.

Anyway, hope that gives you somewhere to start.  Shout if you want more 
clarification.

Julian

More information about the Seaside mailing list