cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Giacomo Pati <>
Subject Re: [C2]Access control using sitemap
Date Fri, 08 Sep 2000 20:40:47 GMT
Lassi Immonen wrote:
> > > I really would like to use Cocoon2 in our web/content management
> project.
> > > Could someone give some advice how to implement user
> identification/access
> > > control using sitemap? It has to be somekind of selector and all
> requests
> > > has to go through same point?
> >
> > IIRC, there was a policy to not handle authorisation and authentication
> > in the sitemap, and let the web server handle that.
> Is there any reason not to use sitemap as basis of creating access control
> system?

Not really. Nobody stops you from doing so. But wouldn't you think that
especially authentication is better done at the servlet container side?
It offers may ways to do so, from basic and form based authentication to
strong client side authentication using certificates.

> It's not going to be only access control, I plan to have ability to produce
> dynamic content based on userprofile in database.

IMHO this is another part. Usually its called authorisation. Off course
this is something that only your application can determine and would
clearly fit into the sitemap or better into XSP pages.

> >
> > However, you could write a selector to handle it, yes.  Off the top of
> > my head: just wrap all pages to be protected and test the uses
> > credentials, if it fails redirect to a "permission denied" page.
> I cannot see any other examples as to start other than recently added
> BrowserSelector, so would my "AccessSelector" work like:
> <map:selector name="access" factory="my.AccessSelector">
> ??
> </map:selector>

I don't think this is a good example using a factory class. Probably a
normal class is good enought for that. Please get in touch with the
difference between a selector/matcher factory and a normal class by
reading the Interfaces.

> and
> <map:match pattern="mysite/*">
>     <map:select type="access">
> <map:when test="granted">
>     ?? how to use this as starting point to all my content residing under
> mysite/
> </map:when>
> <map:otherwise>
>     <map:redirect-to uri="login"/>
> </map:otherwise>
> </map:select>
> </map:match>

Yes, more or less that way. We have to prove if web application can be
written in a MVC manner using selectors/matchers as Controllers of the
Model and XSP pages as Views of the Model.

> And in AccessSelector code, can I access database through JDBC? It's not
> very clear to me how to maintain for example my custom Users-object live
> somewhere with possible connection to database and accessible from
> AccessSelector?  Any advice?

Any sitemap component has full access to the objectModel (means Request,
Response, Context and thus Session) and can make whatever seems
appropriate (even JDBC access to databases).

> Anyway from BrowserSelector code I can see how one can get request object.

Yes, have a look at CocoonServlet to see what else is in the


PWR GmbH, Organisation & Entwicklung      Tel:   +41 (0)1  856 2202
Giacomo Pati, CTO/CEO                     Fax:   +41 (0)1  856 2201
Hintereichenstrasse 7                     Mobil: +41 (0)78 759 7703 
CH-8166 Niederweningen           

View raw message