Hi,
I'm trying to create an authorization scheme in Araneida. Basically
whenever a location in my URL space is called I want to check whether
the user is authorized and redirect to a login page if he isn't.
I found this post on usenet:
http://groups.google.com/group/comp.lang.lisp/browse_thread/thread/a6990567666934d2/12bca167849b64e9?lnk=gst&q=request-authorized-p&rnum=1&hl=en&fwc=2
According to this post, the generic function "request-authorized-p" is
called for every request to determine whether a client is authorized.
To test this, I've got:
============= snip ==================
(defclass root-page-handler (araneida:handler) ())
(defmethod request-authorized-p ((araneida:handler root-page-handler)
method request)
(format t "not authorized"))
(defmethod request-not-authorized ((araneida:handler root-page-
handler)
method request)
(araneida:request-redirect request
*login-urlstring*))
(defmethod handle-request-response ((araneida:handler root-page-
handler)
method request)
(araneida:request-send-headers request)
(araneida:html-stream
(araneida:request-stream request)
`(html (body (p "logged in")))))
(defparameter *root-page-handler-instance*
(make-instance 'root-page-handler))
(araneida:install-handler
(http-listener-handler *listener*)
*root-page-handler-instance*
*app-urlstring* t)
============= snip ==================
So, I've got request-authorized-p on class root-page-handler. However,
I
find that this method is never called by Araneida; instead,
handle-request-response is still called.
What gives? What am I missing?
Joubert
From: Vassil Nikolov
Subject: Re: request-authorized-p (implementation of generic function to yield authorization status)
Date:
Message-ID: <yy8vd53nue84.fsf@eskimo.com>
On 5 Mar 2007 20:19:57 -0800, ···········@gmail.com said:
| Hi,
| I'm trying to create an authorization scheme in Araneida. Basically
| whenever a location in my URL space is called I want to check whether
| the user is authorized and redirect to a login page if he isn't.
As an aside, if you are checking if a user is authorized [to do
something], then the user must have already logged in (i.e., a login
page serves to authenticate users, not to authorize them).
---Vassil.
--
Is your code free of side defects?
On Mar 6, 12:34 am, Vassil Nikolov <···············@pobox.com> wrote:
> On 5 Mar 2007 20:19:57 -0800, ···········@gmail.com said:
>
> | Hi,
> | I'm trying to create an authorization scheme in Araneida. Basically
> | whenever a location in my URL space is called I want to check whether
> | the user is authorized and redirect to a login page if he isn't.
>
> As an aside, if you are checking if a user is authorized [to do
> something], then the user must have already logged in (i.e., a login
> page serves to authenticate users, not to authorize them).
>
Sure - authorization simply means "are you allowed". In my example,
you are authorized as long as you're authenticated (logged in). In a
fuller example, authorization would be based on the logged-in user's
role together with additional business logic.
Joubert