cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From giacomo <>
Subject Re: [RT] Access Control (was [RT] Cocoon as OS)
Date Wed, 06 Feb 2002 12:30:54 GMT
On Wed, 6 Feb 2002, Stefano Mazzocchi wrote:

> Daniel Fagerstrom wrote:
> > So, how can access control (AC) be integrated in Cocoon? And how much
> > would integration of AC need to affect the current architecture?
> These are good questions. I don't have solid answers, but some comments
> to share hoping to sparkle discussion in the right direction.
> > I think there are three main points for AC in Cocoon:
> >
> > 1. Protection of pipelines.
> > 2. Protection of request URI:s.
> > 3. Protection of resources (content and components) that are used to
> >    fulfill a request.
> Hmmm, ok for the first two, but I don't see the need for the third one.
> I mean: once you have your URIs and your URI protection, why would you
> need any more granularity?

Nothing is more annoying than presenting link to resources which are
outside the requestors permission. Imagine you have content to describe
a navigation list. Would you write a separate one for all possible
permissions? I'd say no. You probably describe which permission is
required to include nodes of your content into the pipeline either into
the content or in a separate document (XLink approach).


> > Protection of Request URI:s
> > ---------------------------
> > One way to decouple pipeline construction from AC is to describe what
> > URI:s a certain user (principal) is allowed to access (and possibly in
> > what way), in a separate document. For this scenario the access right
> > are checked before the rest of the sitemap is allowed to be
> > accessed. This could be done like this, e.g.:
> >
> >   <map:pipeline>
> >     <map:act type="deny-access" src="AC.xml">
> >       <map:redirect-to uri="login"/>
> >     </map:act>
> >
> >     <!-- Rules for actually doing something -->
> >
> >   </map:pipeline>
> This is how the Wyona folks implemented this.

Yup. We havn't had the time to think more about it as we need to have
the port work under Cocoon ASAP (yes , I'm involved in the port of the
Wyona-CMS from their XPS system to Cocoon).

> > There should also be utility functions in e.g. XSP for asking about if
> > an URI is accessible for the current user. This could be used to
> > choose the rendering scheme for links dependent on if they are
> > accessible or not.
> >
> > We need a format for describing the access rights.
> Yes. I can't remember what they used... hmmm, checkout
> yourself and see how they did it (now their XPS, eXtensible Publishing
> System, is entirely based on Cocoon... with the (paid) help of Giacomo
> :)

They use a subset of the ACML proposal donnated by IBM
there. I think it is a good start for discussion formats.


To unsubscribe, e-mail:
For additional commands, email:

View raw message