Return-Path: <Giacomo.Pati@pwr.ch>
Mailing-List: contact cocoon-dev-help@xml.apache.org; run by ezmlm
Delivered-To: mailing list cocoon-dev@xml.apache.org
Received: (qmail 23676 invoked from network); 3 Jul 2000 06:58:49 -0000
Received: from stargazer.dataway.ch (HELO dataway.ch) (qmailr@195.216.64.144)
  by locus.apache.org with SMTP; 3 Jul 2000 06:58:49 -0000
Received: (qmail 26601 invoked by uid 0); 3 Jul 2000 06:58:30 -0000
Received: from zh2-15.dial.dataway.ch (HELO pwr.ch) (root@195.216.80.143)
  by stargazer.dataway.ch with SMTP; 3 Jul 2000 06:58:30 -0000
Received: (qmail 16037 invoked from network); 3 Jul 2000 06:57:21 -0000
Received: from donald.pwr.ch (HELO pwr.ch) (giacomo@10.20.30.103)
  by simba.pwr.ch with SMTP; 3 Jul 2000 06:57:21 -0000
Sender: giacomo
Message-ID: <39603950.5C787CA0@pwr.ch>
Date: Mon, 03 Jul 2000 08:57:20 +0200
From: Giacomo Pati <Giacomo.Pati@pwr.ch>
Organization: PWR Organisation & Entwicklung
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14 i686)
X-Accept-Language: de, en
MIME-Version: 1.0
To: cocoon-dev@xml.apache.org
Subject: Re: [C2] (hopefully) last sitemap major changes
References: <395CD669.DEC70286@apache.org>
 <00ef01bfe343$360a6c70$30022397@ARES> <395F412B.ABE5B76D@apache.org>
 <00b101bfe440$c9d088b0$c2022397@ARES> <396002BB.93D5B78D@localbar.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

Niclas Hedhman wrote:
> 
> Nicola Ken Barozzi wrote:
> 
> > > > Another thing is security.
> > >
> > > yep, "another thing".
> > >
> > > > Now I made my taglib for security but why not specify it in the sitemap?
> > >
> > > For example?
> >
> > The web.xml in J2EE is similar in some ways to the sitemap; in it you can specify
> > security constraints for web resource collections.
> >
> >     <security-constraint>
> >       <web-resource-collection>
> >          <web-resource-name>Protected Area</web-resource-name>
> >   <!-- Define the context-relative URL(s) to be protected -->
> >          <url-pattern>/restricted/*</url-pattern>
> >   <!-- If you list http methods, only those methods are protected
> >   <http-method>DELETE</http-method>
> >          <http-method>GET</http-method>
> >          <http-method>POST</http-method>
> >   <http-method>PUT</http-method> -->
> >       </web-resource-collection>
> >
> > Here you limit HTTP methods in a url pattern.
> > In C2 you could limit views.
> >
> > Anyway security is much bigger than something to put in the sitemap.
> > I am still confused on how it could implemented.
> > Are there any ideas on how C2 must deal with security issues anyone?
> 
> I think the nearest we get in the first round is a FileAuthenticationChooser.
> It will basically use a kind of .htaccess file in each directory, and then "grant access"
> to that subpipe.
> I have also been lurking with the idea of a ResourceAuthenticationChooser, which would
> work on the Resource abstraction in the sitemap.
> 
> Stefano/Giacomo, since I am looking into these Choosers at the moment, how do they get a
> reference to the whole Cocoon context, and such thing as resource/path in process and so
> forth.

Maybe this can work: If a Chooser implements SitemapComponent it gets
called at request time with setup (request, response, source,
parameters). Can this help you? In the generated SitemapProcessor, I'm
working on, I've not decided to use a tree of Configuration objects to
serve the components (it derives directly from the sitemap.xmap). If
this is realy necessary I will first parse the sitemap.xmap file into a
tree of Configuration objects and afterwards generate the
SitemapProcessor from it.

Giacomo

-- 
PWR GmbH, Organisation & Entwicklung      Tel:   +41 (0)1 856 2202
Giacomo Pati, CTO/CEO                     Fax:   +41 (0)1 856 2201
Hintereichenstrasse 7                     Mailto:Giacomo.Pati@pwr.ch
CH-8166 Niederweningen                    Web:   http://www.pwr.ch