cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vadim Gritsenko" <>
Subject RE: [RT] Access Control (was [RT] Cocoon as OS)
Date Thu, 07 Feb 2002 13:40:49 GMT
> From: Daniel Fagerstrom []
> Greg Weinger wrote:


> > > Browsers know about the HTTP authentication protocol, and if you
> > that,
> > > they will send you username and password automatically.
> >
> > Where do you retrieve them? AFAIK they're not available in the
> > API.
> You can use getAuthType(), getRemoteUser(), getUserPrincipal(),
> and isUserInRole(java.lang.String role) in the HttpServletRequest
> Password is however not availible as all the above methods rely on
> the servlet container takes care of user authentication.
> > Anyway, graphic designers loathe the HTTP authentication protocol.
> > only choice of input form is that gray box that pops-up (maybe not
> > mozilla XUL, but the world isn't there yet).  In most cases, you'll
> > wanting to use HTTP forms.
> Yes it is disturbing that one have to choose between design and
> level: Form based login is ok if you use HTTPS or if you don't think
> care if) someone taping your wire. HTTP digest authentication gives
> much higher security level of security against wire tapping if you
> want to use HTTPS, but in this case you will get gray box pop-ups in
> browser :(
> > The main problem, I think, is that HTTP requests on their own do not
> > have the concept a user built into it, which is necessary to perform
> > user-based access control.
> They have, see (, for all the
> technical details ;). But it depends on that the browser takes care of
> the protocol, which leads to: gray box pop-ups.

As you mentioned before: form-based login. IIRC, servlet spec describes
it in details. Only thing Cocoon needs is may be an action to establish
user credentials in the servlet container once this form is submitted.

> > That information has to be established programmatically.  My thought
> > was, what if we built that concept into Cocoon?

It is built in into servlet spec. See answer from Greg Weinger (above).

> Yes, then I think that one either have to suport rfc2617 in Cocoon,
> seem tricky, or use session based security, (IIRC there already are
> actions in Cocoon that takes care of that). Implementing own support
> passing credentials back and forth for each request, seem to
> to me.

And already done by *any* servlet engine.


To unsubscribe, e-mail:
For additional commands, email:

View raw message