cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vadim Gritsenko" <>
Subject RE: [RT] Access Control (was [RT] Cocoon as OS)
Date Thu, 07 Feb 2002 18:30:25 GMT
> From: Sylvain Wallez []
> Vadim Gritsenko wrote:
> <snip/>
> >>>The main problem, I think, is that HTTP requests on their own do
> >>>have the concept a user built into it, which is necessary to
> >>>user-based access control.
> >>>
> >>They have, see (, for all the
> >>technical details ;). But it depends on that the browser takes care
> >>the protocol, which leads to: gray box pop-ups.
> >>
> >
> >As you mentioned before: form-based login. IIRC, servlet spec
> >it in details. Only thing Cocoon needs is may be an action to
> >user credentials in the servlet container once this form is
> >
> <snip/>
> But the servlet spec doesn't allow a servlet to set the user
> in the container.

It will be set for you by the container.

Servlet spec 2.3, SRV.12.5.3 Form Based Authentication:
  4. The container attempts to authenticate the user
  using the information from the form.

If you want to do this by yourself, then yes, it is not specified in the
spec how to do this. But spec implementations usually provide you with
the (non-statndard) way to handle this correctly (i.e. it will propagate
Principal you provided into the container). I remember some examples
from the Bea WebLogic server.

> A thing I already though of about request locale: as Cocoon abstracts
> the environment, couldn't we "open" the request interface by adding
> setter methods that allows wrappers to return values set by Cocoon.
> To be clear :
> in Environment :
>   Principal getUserPrincipal();
>   setUserPrincipal(Principal user);
> in HttpEnvironment :
>   Principal userPrincipal = null;
>   public void setUserPrincipal(Principal p) {
>     this.userPrincipal = p;
>   }
>   public Principal getUserPrincipal() {
>     if (this.userPrincipal == null) {
>       return this.userPrincipal;
>     } else {
>       return this.httpRequest.getUserPrincipal();
>     }
>   }
> This would allow Action-based authenticator to set the User
> transparently to other components. The same could apply to
> which could be overriden by the LocaleAction.

Not good; This would not be propagated to the other environments, say,
into an EJB. Not to say that this is against any standards Java has.
And, same could be done using session:

   public Principal getUserPrincipal() {
     if (session.getAttribute("userPrincipal") == null) {
       return request.userPrincipal;
     } else {
       return session.getAttribute("userPrincipal");

> Another way to make these things transparent to other components is to
> replace the request in the object model, but I've been told that
> tweaking the object model is bad ;)

Same applies to the request ;)


To unsubscribe, e-mail:
For additional commands, email:

View raw message