cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vadim Gritsenko" <vadim.gritse...@verizon.net>
Subject RE: [RT] Access Control (was [RT] Cocoon as OS)
Date Thu, 07 Feb 2002 13:40:49 GMT
> From: Daniel Fagerstrom [mailto:Daniel.Fagerstrom@lentus.se]
> 
> Greg Weinger wrote:

<snip/>

> > > Browsers know about the HTTP authentication protocol, and if you
use
> > that,
> > > they will send you username and password automatically.
> >
> > Where do you retrieve them? AFAIK they're not available in the
Servlet
> > API.
>
> You can use getAuthType(), getRemoteUser(), getUserPrincipal(),
> and isUserInRole(java.lang.String role) in the HttpServletRequest
interface.
> Password is however not availible as all the above methods rely on
that
> the servlet container takes care of user authentication.
>
> > Anyway, graphic designers loathe the HTTP authentication protocol.
Your
> > only choice of input form is that gray box that pops-up (maybe not
in
> > mozilla XUL, but the world isn't there yet).  In most cases, you'll
be
> > wanting to use HTTP forms.
>
> Yes it is disturbing that one have to choose between design and
security
> level: Form based login is ok if you use HTTPS or if you don't think
(or
> care if) someone taping your wire. HTTP digest authentication gives
you
> much higher security level of security against wire tapping if you
don't
> want to use HTTPS, but in this case you will get gray box pop-ups in
the
> browser :(
> 
> > The main problem, I think, is that HTTP requests on their own do not
> > have the concept a user built into it, which is necessary to perform
> > user-based access control.
>
> They have, see (ftp://ftp.isi.edu/in-notes/rfc2617.txt), for all the
> technical details ;). But it depends on that the browser takes care of
> the protocol, which leads to: gray box pop-ups.

As you mentioned before: form-based login. IIRC, servlet spec describes
it in details. Only thing Cocoon needs is may be an action to establish
user credentials in the servlet container once this form is submitted.


> > That information has to be established programmatically.  My thought
> > was, what if we built that concept into Cocoon?

It is built in into servlet spec. See answer from Greg Weinger (above).

> Yes, then I think that one either have to suport rfc2617 in Cocoon,
which
> seem tricky, or use session based security, (IIRC there already are
som
> actions in Cocoon that takes care of that). Implementing own support
for
> passing credentials back and forth for each request, seem to
complicated
> to me.

And already done by *any* servlet engine.


Vadim


---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message