cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <>
Subject Re: [RT] Access Control (was [RT] Cocoon as OS)
Date Thu, 07 Feb 2002 20:58:13 GMT
Vadim Gritsenko wrote:

>>From: Sylvain Wallez []
>>Vadim Gritsenko wrote:

>>But the servlet spec doesn't allow a servlet to set the user
>>credential in the container.
>It will be set for you by the container.
There'a misunderstanding here : if authentication is performed by an 
Action, the container has already given us a request, and we cannot give 
it back the user info computed by this action.

>Servlet spec 2.3, SRV.12.5.3 Form Based Authentication:
>  4. The container attempts to authenticate the user
>  using the information from the form.
>If you want to do this by yourself, then yes, it is not specified in the
>spec how to do this. But spec implementations usually provide you with
>the (non-statndard) way to handle this correctly (i.e. it will propagate
>Principal you provided into the container). I remember some examples
>from the Bea WebLogic server.
That's precisely what I'd like to avoid : write an authenticator for 
each and every servlet engine my app has to run on, including those I 
know nothing about :(

This is IMHO a major problem in J2EE. Could JAAS help here ?

>>A thing I already though of about request locale: as Cocoon abstracts
>>the environment, couldn't we "open" the request interface by adding
>>setter methods that allows wrappers to return values set by Cocoon.
>>To be clear :
>>in Environment :
>>  Principal getUserPrincipal();
>>  setUserPrincipal(Principal user);
>>in HttpEnvironment :
>>  Principal userPrincipal = null;
>>  public void setUserPrincipal(Principal p) {
>>    this.userPrincipal = p;
>>  }
>>  public Principal getUserPrincipal() {
>>    if (this.userPrincipal == null) {
>>      return this.userPrincipal;
>>    } else {
>>      return this.httpRequest.getUserPrincipal();
>>    }
>>  }
>>This would allow Action-based authenticator to set the User
>>transparently to other components. The same could apply to
>>getLocale(), which could be overriden by the LocaleAction.
>Not good; This would not be propagated to the other environments, say,
>into an EJB. Not to say that this is against any standards Java has.
>And, same could be done using session:
>   public Principal getUserPrincipal() {
>     if (session.getAttribute("userPrincipal") == null) {
>       return request.userPrincipal;
>     } else {
>       return session.getAttribute("userPrincipal");
>     }
>   }
Do you mean this code could be the one in Cocoon's Request object ? 
Well, this avoids adding a setter, but the session then becomes a 
"hidden setter". And this changes nothing for EJBs.

BTW, Servlet 2.3 introduces Filters what allow wrapping of the Request 
and Response :
- what if a request wrapper changes the result of getUserPrincipal ? 
Will it be propagated to EJBs ?
- shouldn't we have something similar in our abstracted environment ?


Sylvain Wallez
Anyware Technologies -

To unsubscribe, e-mail:
For additional commands, email:

View raw message