[Seaside] Seaside Login and so on
Julian Fitzell
julian at beta4.com
Tue Aug 5 12:11:01 CEST 2003
Giovanni Giorgi wrote:
> Hi all!
> I am developing a small apllication using seaside: I love it!!
> I am a newbie to seaside but I know SmallTalk well.
>
> I have started to authenticate my users using the same idea used in the
> seaside admin "webapp".
> I have defined a
> MySession>>authenticateUser:password:
> and it is fine.
> I have also a CalledWAComponent which is called form the main webapp.
>
> But now I'd like to implement the classical login/logout process found
> on a lot of site.
> I'd like to show a login/password box as the first page.
> It is trivial to do it with a special WAComponent subclass but...how
> can I guarantee nobody can invoke directly my CalledWAComponent and
> bypassing the password?
>
> Must I check the session in EVERY CalledWAComponent? This is a bit
> boring :)
>
> Can you give me some ideas?
> Thank you!
Hi Giovanni,
First off, I'm not quite sure what you mean about directly invoking a
component: you can only enter a seaside application via a defined entry
point - so unless you have an entry point for that component nobody will
be able to enter it directly.
As for solving this problem, you probably want a custom subclass of
WASession that keeps track of the current user. Then any component can
ask the session for the current user when determining what content to
show. The session subclass would also have methods for performing
authentication.
If you wanted to use HTTP basic auth or cookies or some other kind of
authentication that was provided on every request, you would probably
add a filter that would perform the authentication, but since you're
talking about using an HTML form, I won't go into details on this.
If you wanted to have the whole site or a particular subcomponent of the
site password protected you could wrap it in an authentication component
(this is what we do at work). This component would check the session to
see if a user was set. If a user it set it displays its contents. If a
user is not set, it displays a login form instead - the action on the
form would perform authentication with the session and allow the
authentication component to redraw itself.
--------------------
AuthenticationFrame>>renderContentOn: html
self session isAuthenticated
ifFalse:
[html form:
[html text: 'Login: '.
html textInputOn: #username of: self; break.
html text: 'Password: '.
html passwordInputOn: #password of: self; break.
html submitButtonWithAction: [self authenticate] text: 'Log In']]
ifTrue: [self render: contents].
AuthenticationFrame>>authenticate
self session authenticateUser: self username withPassword: self
password.
"Remember the username in the form for later but clear the password"
self password: ''.
---------------------
After #authenticate runs, the authentication frame will be redrawn. If
the authentication was successful, the component will show its contents
this time. If not, it will display the login form again with the
username still filled in.
There are many variations of course. You could have a little component
in a sidebar that displayed the login form and did the authentication
with the session but didn't actually contain any other content. Then
you'd have to have your other components check for an authenticated user
themselves. They could also get the current user from the session to
display their name, or get their preferences or permissions, etc.
Anyway, hope that gives you somewhere to start. Shout if you want more
clarification.
Julian
More information about the Seaside
mailing list