cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Weinger" <>
Subject RE: [RT] Access Control (was [RT] Cocoon as OS)
Date Thu, 07 Feb 2002 20:15:49 GMT

> > But the servlet spec doesn't allow a servlet to set the user
> credentials
> > in the container.
> It will be set for you by the container.
> Servlet spec 2.3, SRV.12.5.3 Form Based Authentication:
>   4. The container attempts to authenticate the user
>   using the information from the form.
> If you want to do this by yourself, then yes, it is not specified in
> spec how to do this. 

I always handle this by myself, because of design requirements.  What
are other people's experiences?  

>But spec implementations usually provide you with
> the (non-statndard) way to handle this correctly (i.e. it will
> Principal you provided into the container). I remember some examples
> from the Bea WebLogic server.

And IHMO this sucks, because it's container-specific.  I would like an
abstraction for it within Cocoon as well, or at least a standard way of
handling it.


> Not good; This would not be propagated to the other environments, say,
> into an EJB. Not to say that this is against any standards Java has.
> And, same could be done using session:
>    public Principal getUserPrincipal() {
>      if (session.getAttribute("userPrincipal") == null) {
>        return request.userPrincipal;
>      } else {
>        return session.getAttribute("userPrincipal");
>      }
>    }

That's what I was thinking; I like the idea of having "reserved" Session
or Request attributes that hold that the user information.  


To unsubscribe, e-mail:
For additional commands, email:

View raw message