cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vadim Gritsenko" <vadim.gritse...@verizon.net>
Subject RE: [RT] Access Control (was [RT] Cocoon as OS)
Date Thu, 07 Feb 2002 18:30:25 GMT
> From: Sylvain Wallez [mailto:sylvain.wallez@anyware-tech.com]
> 
> Vadim Gritsenko wrote:
> 
> <snip/>
> 
> >>>The main problem, I think, is that HTTP requests on their own do
not
> >>>have the concept a user built into it, which is necessary to
perform
> >>>user-based access control.
> >>>
> >>They have, see (ftp://ftp.isi.edu/in-notes/rfc2617.txt), for all the
> >>technical details ;). But it depends on that the browser takes care
of
> >>the protocol, which leads to: gray box pop-ups.
> >>
> >
> >As you mentioned before: form-based login. IIRC, servlet spec
describes
> >it in details. Only thing Cocoon needs is may be an action to
establish
> >user credentials in the servlet container once this form is
submitted.
> >
> <snip/>
> 
> But the servlet spec doesn't allow a servlet to set the user
credentials
> in the container.

It will be set for you by the container.

Servlet spec 2.3, SRV.12.5.3 Form Based Authentication:
  4. The container attempts to authenticate the user
  using the information from the form.

If you want to do this by yourself, then yes, it is not specified in the
spec how to do this. But spec implementations usually provide you with
the (non-statndard) way to handle this correctly (i.e. it will propagate
Principal you provided into the container). I remember some examples
from the Bea WebLogic server.


> A thing I already though of about request locale: as Cocoon abstracts
> the environment, couldn't we "open" the request interface by adding
> setter methods that allows wrappers to return values set by Cocoon.
> 
> To be clear :
> in Environment :
>   Principal getUserPrincipal();
>   setUserPrincipal(Principal user);
> 
> in HttpEnvironment :
>   Principal userPrincipal = null;
> 
>   public void setUserPrincipal(Principal p) {
>     this.userPrincipal = p;
>   }
> 
>   public Principal getUserPrincipal() {
>     if (this.userPrincipal == null) {
>       return this.userPrincipal;
>     } else {
>       return this.httpRequest.getUserPrincipal();
>     }
>   }
> 
> This would allow Action-based authenticator to set the User
> transparently to other components. The same could apply to
getLocale(),
> which could be overriden by the LocaleAction.

Not good; This would not be propagated to the other environments, say,
into an EJB. Not to say that this is against any standards Java has.
And, same could be done using session:

   public Principal getUserPrincipal() {
     if (session.getAttribute("userPrincipal") == null) {
       return request.userPrincipal;
     } else {
       return session.getAttribute("userPrincipal");
     }
   }



> Another way to make these things transparent to other components is to
> replace the request in the object model, but I've been told that
> tweaking the object model is bad ;)

Same applies to the request ;)

Vadim



---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message