cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@localbar.com>
Subject Re: [C2] (hopefully) last sitemap major changes
Date Mon, 03 Jul 2000 03:04:27 GMT
Nicola Ken Barozzi wrote:

> > > Another thing is security.
> >
> > yep, "another thing".
> >
> > > Now I made my taglib for security but why not specify it in the sitemap?
> >
> > For example?
>
> The web.xml in J2EE is similar in some ways to the sitemap; in it you can specify
> security constraints for web resource collections.
>
>     <security-constraint>
>       <web-resource-collection>
>          <web-resource-name>Protected Area</web-resource-name>
>   <!-- Define the context-relative URL(s) to be protected -->
>          <url-pattern>/restricted/*</url-pattern>
>   <!-- If you list http methods, only those methods are protected
>   <http-method>DELETE</http-method>
>          <http-method>GET</http-method>
>          <http-method>POST</http-method>
>   <http-method>PUT</http-method> -->
>       </web-resource-collection>
>
> Here you limit HTTP methods in a url pattern.
> In C2 you could limit views.
>
> Anyway security is much bigger than something to put in the sitemap.
> I am still confused on how it could implemented.
> Are there any ideas on how C2 must deal with security issues anyone?

I think the nearest we get in the first round is a FileAuthenticationChooser.
It will basically use a kind of .htaccess file in each directory, and then "grant access"
to that subpipe.
I have also been lurking with the idea of a ResourceAuthenticationChooser, which would
work on the Resource abstraction in the sitemap.

Stefano/Giacomo, since I am looking into these Choosers at the moment, how do they get a
reference to the whole Cocoon context, and such thing as resource/path in process and so
forth.

> > > How does it relate to the contracts?
> >
> > Which contracts? Sorry, I lost you here.
>
> The contracts between programmers, content creators, etc.
> Who should be in charge of security?

Site managers of course. Content creators and Style/Graphics people have no clue,
programmers never care, so...

Niclas


Mime
View raw message