cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <>
Subject Re: [RT] Access Control (was [RT] Cocoon as OS)
Date Thu, 07 Feb 2002 17:42:47 GMT
Vadim Gritsenko wrote:


>>>The main problem, I think, is that HTTP requests on their own do not
>>>have the concept a user built into it, which is necessary to perform
>>>user-based access control.
>>They have, see (, for all the
>>technical details ;). But it depends on that the browser takes care of
>>the protocol, which leads to: gray box pop-ups.
>As you mentioned before: form-based login. IIRC, servlet spec describes
>it in details. Only thing Cocoon needs is may be an action to establish
>user credentials in the servlet container once this form is submitted.

But the servlet spec doesn't allow a servlet to set the user credentials 
in the container.

A thing I already though of about request locale : as Cocoon abstracts 
the environment, couldn't we "open" the request interface by adding 
setter methods that allows wrappers to return values set by Cocoon.

To be clear :
in Environment :
  Principal getUserPrincipal();
  setUserPrincipal(Principal user);

in HttpEnvironment :
  Principal userPrincipal = null;

  public void setUserPrincipal(Principal p) {
    this.userPrincipal = p;

  public Principal getUserPrincipal() {
    if (this.userPrincipal == null) {
      return this.userPrincipal;
    } else {
      return this.httpRequest.getUserPrincipal();

This would allow Action-based authenticator to set the User 
transparently to other components. The same could apply to getLocale(), 
which could be overriden by the LocaleAction.

Another way to make these things transparent to other components is to 
replace the request in the object model, but I've been told that 
tweaking the object model is bad ;)

Thoughts ?


Sylvain Wallez
Anyware Technologies -

To unsubscribe, e-mail:
For additional commands, email:

View raw message