Table of Contents 
Previous Section
Limitations on Direct Requests
Users can access any page in an application without invoking an action. All they need to do is type in the appropriate URL. For example, you can access the second page of HelloWorld without invoking the sayHello action by opening this URL:
http://serverhost/cgi-bin/WebObjects/Examples/HelloWorld.woa/wo/HelloWhen a WebObjects application receives such a request, it bypasses the user-input (takeValuesFromRequest:inContext:) and action-invocation (invokeActionForRequest:inContext:) phases because there is no user input to store and no action to invoke. As a result, the object representing the requested page-Hello in this case-generates the response.
By implementing security mechanisms in invokeActionForRequest:inContext:, you can prevent users from accessing pages without authorization, but only if those pages are not directly requested in URLs. To prevent users from directly accessing pages in URLs, override appendToResponse:inContext: instead.
Table of Contents 
Next Section