Developer Documentation
PATH  WebObjects 4.5 Documentation > WebObjects Developer's Guide

Table of Contents Previous Section

Limitations on Direct Requests

 Users can access any page in an application without invoking an action. All they need to do is type in the appropriate URL. For example, you can access the second page of HelloWorld without invoking the sayHello action by opening this URL:

http://serverhost/cgi-bin/WebObjects/Examples/HelloWorld.woa/wo/Hello
When a WebObjects application receives such a request, it bypasses the user-input (takeValuesFromRequest:inContext:) and action-invocation (invokeActionForRequest:inContext:) phases because there is no user input to store and no action to invoke. As a result, the object representing the requested page-Hello in this case-generates the response.

By implementing security mechanisms in invokeActionForRequest:inContext:, you can prevent users from accessing pages without authorization, but only if those pages are not directly requested in URLs. To prevent users from directly accessing pages in URLs, override appendToResponse:inContext: instead.

Table of Contents Next Section