From: Bill Atkins
Subject: Re: How to adapt php technique to araneida?
Date:
Message-ID: <878xp9lcs8.fsf@rpi.edu>
"Jonathon McKitrick" <···········@bigfoot.com> writes:
> One thing I like about php is how easy it is for a page to check if it
> is authorized and then redirect if not. With araneida, you have to set
> up handlers and check each filename.
>
> Is there an easier way to have a subdirectory with contents to be
> protected, and where requests are redirected to a login page unless the
> user is authorized? Since I'm serving actual html files rather than
> building them on the fly, I'd prefer not to have to keep a list of each
> file to test each request against.
>
Araneida calls the generic function HANDLE-REQUEST-AUTHORIZATION for
every request, which calls the gf REQUEST-AUTHORIZED-P to ensure the
client is authorized. If the check fails, Araneida calls
REQUEST-NOT-AUTHORIZED. The default REQUEST-AUTHORIZED-P always
returns T. You can override these:
(defmethod request-authorized-p ((handler my-handler) method request)
....)
(defmethod request-not-authorized ((handler my-handler) method request)
(request-redirect blah))
--
This is a song that took me ten years to live and two years to write.
- Bob Dylan
Bill Atkins wrote:
> Araneida calls the generic function HANDLE-REQUEST-AUTHORIZATION for
> every request, which calls the gf REQUEST-AUTHORIZED-P to ensure the
> client is authorized. If the check fails, Araneida calls
> REQUEST-NOT-AUTHORIZED. The default REQUEST-AUTHORIZED-P always
> returns T. You can override these:
>
> (defmethod request-authorized-p ((handler my-handler) method request)
> ....)
>
> (defmethod request-not-authorized ((handler my-handler) method request)
> (request-redirect blah))
I looked around for session support, and couldn't find anything. Can
authentication info be saved in sessions rather than cookies?
From: Bill Atkins
Subject: Re: How to adapt php technique to araneida?
Date:
Message-ID: <87ejz0a5xp.fsf@rpi.edu>
"Jonathon McKitrick" <···········@bigfoot.com> writes:
> Bill Atkins wrote:
>
>> Araneida calls the generic function HANDLE-REQUEST-AUTHORIZATION for
>> every request, which calls the gf REQUEST-AUTHORIZED-P to ensure the
>> client is authorized. If the check fails, Araneida calls
>> REQUEST-NOT-AUTHORIZED. The default REQUEST-AUTHORIZED-P always
>> returns T. You can override these:
>>
>> (defmethod request-authorized-p ((handler my-handler) method request)
>> ....)
>>
>> (defmethod request-not-authorized ((handler my-handler) method request)
>> (request-redirect blah))
>
> I looked around for session support, and couldn't find anything. Can
> authentication info be saved in sessions rather than cookies?
>
As far as I know, Araneida doesn't come with session support. I think
TBNL (which runs on Araneida) does.
--
This is a song that took me ten years to live and two years to write.
- Bob Dylan
> Araneida calls the generic function HANDLE-REQUEST-AUTHORIZATION for
> every request, which calls the gf REQUEST-AUTHORIZED-P to ensure the
> client is authorized. If the check fails, Araneida calls
> REQUEST-NOT-AUTHORIZED. The default REQUEST-AUTHORIZED-P always
> returns T. You can override these:
>
> (defmethod request-authorized-p ((handler my-handler) method request)
> ....)
>
> (defmethod request-not-authorized ((handler my-handler) method request)
> (request-redirect blah))
So is the best way to use these to put the login form in one directory
and the protected content in another? Because I'm trying to figure out
how to check the authorization on all the protected files while still
allowing the login form to be served before authorization has been
granted.
From: Bill Atkins
Subject: Re: How to adapt php technique to araneida?
Date:
Message-ID: <87zmhn9sme.fsf@rpi.edu>
"Jonathon McKitrick" <···········@bigfoot.com> writes:
>> Araneida calls the generic function HANDLE-REQUEST-AUTHORIZATION for
>> every request, which calls the gf REQUEST-AUTHORIZED-P to ensure the
>> client is authorized. If the check fails, Araneida calls
>> REQUEST-NOT-AUTHORIZED. The default REQUEST-AUTHORIZED-P always
>> returns T. You can override these:
>>
>> (defmethod request-authorized-p ((handler my-handler) method request)
>> ....)
>>
>> (defmethod request-not-authorized ((handler my-handler) method request)
>> (request-redirect blah))
>
> So is the best way to use these to put the login form in one directory
> and the protected content in another? Because I'm trying to figure out
> how to check the authorization on all the protected files while still
> allowing the login form to be served before authorization has been
> granted.
>
Maybe this:
(defclass protection-mixin ()
())
(defmethod request-authorized-p ((handler protection-mixin) method req)
;; check here)
(defmethod request-not-authorized ((handler my-handler) method request)
(request-redirect ;; to login handler))
(defclass my-first-handler (protection-mixin)
(...))
(defclass my-other-handler (protection-mixin)
(...))
Now any handler that mixes in (inherits from) PROTECTION-MIXIN will
check the user's credentials. Have the REQUEST-NOT-AUTHORIZED method
redirect to, e.g., LOGIN-HANDLER.
You could also have the REQUEST-NOT-AUTHORIZED method for
PROTECTION-MIXIN send a cookie back before the redirect. The login
handler could then read it, so that a successful login would bring the
user to the page they were originally trying to access.
HTH.
--
This is a song that took me ten years to live and two years to write.
- Bob Dylan
From: Bill Atkins
Subject: Re: How to adapt php technique to araneida?
Date:
Message-ID: <87u07v9sks.fsf@rpi.edu>
Bill Atkins <············@rpi.edu> writes:
> "Jonathon McKitrick" <···········@bigfoot.com> writes:
>
>>> Araneida calls the generic function HANDLE-REQUEST-AUTHORIZATION for
>>> every request, which calls the gf REQUEST-AUTHORIZED-P to ensure the
>>> client is authorized. If the check fails, Araneida calls
>>> REQUEST-NOT-AUTHORIZED. The default REQUEST-AUTHORIZED-P always
>>> returns T. You can override these:
>>>
>>> (defmethod request-authorized-p ((handler my-handler) method request)
>>> ....)
>>>
>>> (defmethod request-not-authorized ((handler my-handler) method request)
>>> (request-redirect blah))
>>
>> So is the best way to use these to put the login form in one directory
>> and the protected content in another? Because I'm trying to figure out
>> how to check the authorization on all the protected files while still
>> allowing the login form to be served before authorization has been
>> granted.
>>
>
> Maybe this:
>
> (defclass protection-mixin ()
> ())
>
> (defmethod request-authorized-p ((handler protection-mixin) method req)
> ;; check here)
>
> (defmethod request-not-authorized ((handler my-handler) method request)
> (request-redirect ;; to login handler))
>
> (defclass my-first-handler (protection-mixin)
> (...))
>
> (defclass my-other-handler (protection-mixin)
> (...))
>
> Now any handler that mixes in (inherits from) PROTECTION-MIXIN will
> check the user's credentials. Have the REQUEST-NOT-AUTHORIZED method
> redirect to, e.g., LOGIN-HANDLER.
>
> You could also have the REQUEST-NOT-AUTHORIZED method for
> PROTECTION-MIXIN send a cookie back before the redirect. The login
> handler could then read it, so that a successful login would bring the
> user to the page they were originally trying to access.
>
> HTH.
>
> --
> This is a song that took me ten years to live and two years to write.
> - Bob Dylan
The class-name for REQUEST-NOT-AUTHORIZED should be PROTECTION-MIXIN.
--
This is a song that took me ten years to live and two years to write.
- Bob Dylan