Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to adapt php technique to araneida?

0 views
Skip to first unread message

Jonathon McKitrick

unread,
May 9, 2006, 11:37:38 AM5/9/06
to
One thing I like about php is how easy it is for a page to check if it
is authorized and then redirect if not. With araneida, you have to set
up handlers and check each filename.

Is there an easier way to have a subdirectory with contents to be
protected, and where requests are redirected to a login page unless the
user is authorized? Since I'm serving actual html files rather than
building them on the fly, I'd prefer not to have to keep a list of each
file to test each request against.

Bill Atkins

unread,
May 10, 2006, 6:45:27 PM5/10/06
to
"Jonathon McKitrick" <j_mck...@bigfoot.com> writes:

Araneida calls the generic function HANDLE-REQUEST-AUTHORIZATION for
every request, which calls the gf REQUEST-AUTHORIZED-P to ensure the
client is authorized. If the check fails, Araneida calls
REQUEST-NOT-AUTHORIZED. The default REQUEST-AUTHORIZED-P always
returns T. You can override these:

(defmethod request-authorized-p ((handler my-handler) method request)
....)

(defmethod request-not-authorized ((handler my-handler) method request)
(request-redirect blah))

--
This is a song that took me ten years to live and two years to write.
- Bob Dylan

Jonathon McKitrick

unread,
May 11, 2006, 11:26:40 AM5/11/06
to

Bill Atkins wrote:

> Araneida calls the generic function HANDLE-REQUEST-AUTHORIZATION for
> every request, which calls the gf REQUEST-AUTHORIZED-P to ensure the
> client is authorized. If the check fails, Araneida calls
> REQUEST-NOT-AUTHORIZED. The default REQUEST-AUTHORIZED-P always
> returns T. You can override these:
>
> (defmethod request-authorized-p ((handler my-handler) method request)
> ....)
>
> (defmethod request-not-authorized ((handler my-handler) method request)
> (request-redirect blah))

I looked around for session support, and couldn't find anything. Can
authentication info be saved in sessions rather than cookies?

Bill Atkins

unread,
May 11, 2006, 12:21:06 PM5/11/06
to
"Jonathon McKitrick" <j_mck...@bigfoot.com> writes:

As far as I know, Araneida doesn't come with session support. I think
TBNL (which runs on Araneida) does.

Jonathon McKitrick

unread,
May 12, 2006, 10:04:25 AM5/12/06
to

> Araneida calls the generic function HANDLE-REQUEST-AUTHORIZATION for
> every request, which calls the gf REQUEST-AUTHORIZED-P to ensure the
> client is authorized. If the check fails, Araneida calls
> REQUEST-NOT-AUTHORIZED. The default REQUEST-AUTHORIZED-P always
> returns T. You can override these:
>
> (defmethod request-authorized-p ((handler my-handler) method request)
> ....)
>
> (defmethod request-not-authorized ((handler my-handler) method request)
> (request-redirect blah))

So is the best way to use these to put the login form in one directory
and the protected content in another? Because I'm trying to figure out
how to check the authorization on all the protected files while still
allowing the login form to be served before authorization has been
granted.

Bill Atkins

unread,
May 12, 2006, 11:21:55 AM5/12/06
to
Bill Atkins <NOatki...@rpi.edu> writes:

> Maybe this:
>
> (defclass protection-mixin ()
> ())
>
> (defmethod request-authorized-p ((handler protection-mixin) method req)
> ;; check here)


>
> (defmethod request-not-authorized ((handler my-handler) method request)

> (request-redirect ;; to login handler))
>
> (defclass my-first-handler (protection-mixin)
> (...))
>
> (defclass my-other-handler (protection-mixin)
> (...))
>
> Now any handler that mixes in (inherits from) PROTECTION-MIXIN will
> check the user's credentials. Have the REQUEST-NOT-AUTHORIZED method
> redirect to, e.g., LOGIN-HANDLER.
>
> You could also have the REQUEST-NOT-AUTHORIZED method for
> PROTECTION-MIXIN send a cookie back before the redirect. The login
> handler could then read it, so that a successful login would bring the
> user to the page they were originally trying to access.
>
> HTH.


>
> --
> This is a song that took me ten years to live and two years to write.
> - Bob Dylan

The class-name for REQUEST-NOT-AUTHORIZED should be PROTECTION-MIXIN.

Bill Atkins

unread,
May 12, 2006, 11:20:57 AM5/12/06
to
"Jonathon McKitrick" <j_mck...@bigfoot.com> writes:

Maybe this:

(defclass protection-mixin ()
())

(defmethod request-authorized-p ((handler protection-mixin) method req)
;; check here)

(defmethod request-not-authorized ((handler my-handler) method request)
(request-redirect ;; to login handler))

(defclass my-first-handler (protection-mixin)
(...))

(defclass my-other-handler (protection-mixin)
(...))

Now any handler that mixes in (inherits from) PROTECTION-MIXIN will
check the user's credentials. Have the REQUEST-NOT-AUTHORIZED method
redirect to, e.g., LOGIN-HANDLER.

You could also have the REQUEST-NOT-AUTHORIZED method for
PROTECTION-MIXIN send a cookie back before the redirect. The login
handler could then read it, so that a successful login would bring the
user to the page they were originally trying to access.

HTH.

--

0 new messages