Say you have a site
which must perform certain restricted activites, but those activities should be
invokable by anonymous users IF AND ONLY IF the users initiate them from an
authorized source (e.g., a specific DTML or ZPT script)...what is the
recommended way of setting this up?
Example: Site
X allows anonymous users to purchase an item. The purchase() method is
defined to be accessible only by a specific trusted/authenticated user.
The purchase() method should not be invokable by the anonymous user, but if the
anonymous user access the checkout page template, that page template should be
able to invoke purchase().
Now, say I want to
invoke purchase() from an ExternalMethod that is called from an anonymous
context, what's the preferred way of setting and supplying the appropriate
credentials?
I have solved these
problems "my way," think the solution is hairy and dirty, and would
therefore like to see what people's recommended solutions
are.
A.