Say you have a
site which must perform certain restricted activites, but those activities
should be invokable by anonymous users IF AND ONLY IF the users initiate them
from an authorized source (e.g., a specific DTML or ZPT script)...what is the
recommended way of setting this up?
Example:
Site X allows anonymous users to purchase an item. The purchase() method
is defined to be accessible only by a specific trusted/authenticated
user. The purchase() method should not be invokable by the anonymous
user, but if the anonymous user access the checkout page template, that page
template should be able to invoke purchase().
Now, say I want to
invoke purchase() from an ExternalMethod that is called from an anonymous
context, what's the preferred way of setting and supplying the appropriate
credentials?
I have solved
these problems "my way," think the solution is hairy and dirty, and would
therefore like to see what people's recommended solutions
are.
A.