|
|
|
[
Permlink
| « Hide
]
Matt Raible - 07/Mar/07 01:16 PM
Do you see any issues with removing the population of the protected "user" object altogether? This is left over from pre-Acegi days and pre "good security" as well - where we looked in the session for the user rather than using request.getRemoteUser().
I removed "user" in the Base*TestCase classes. Note that the following still exists in Tapestry's BasePageTestCase:
MockHttpServletRequest request = new MockHttpServletRequest(); request.setRemoteUser("tomcat"); We should probably change "tomcat/tomcat" to "user/user" and "mraible/tomcat" to be "admin/admin" - I think that would be more acceptable by users. |
||||||||||||||||||||||||||||||||||||||||