cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Gallardo" <agalla...@agsoftware.dnsalias.com>
Subject Re: Authentication framework - A new Action for multiple roles.
Date Sun, 18 May 2003 03:38:56 GMT
Hi Tuomo:

Thanks for your answer! Your suggestion really rocks, saving time!

Of course, define all the resources in the sitemap, but using the wildcard
matcher that save typing. For example:

<map:match pattern="usr-*.html">

can save to write all the page related to the users:

usr-add.html
usr-search.html
usr-edit.html
usr-result.html
usr-list.html
usr-change_password.html

The keyword will define a group of page at all, and send the keyword as a
parameter of the action. For example:

In the case described, the keyword can be "users".

Thanks again, we already included your suggestion in our specifications.

Best regards,

Antonio Gallardo




Tuomo L dijo:
> Hi Antonio,
>
> Would it be better to have the resources as "keywords" than as sitemap
> resources? If you have them as sitemap resources (ex.
> "../foo/bar.html"), then they are defined two times: in sitemap and in
> the database table. If the structure of the site changes (new subdirs
> etc.) then one needs to update the database also. The mapping of the
> keywords could be done in the sitemap by feeding the action with the
> keyword:
>
> <map:match pattern="protected.html">
>   <map:action type="multiple-role-auth-action">
>     <map:parameter name="resource" value="foobar"/>
>     <map:generate src="protected.xml"/>
>     ...
>   </map:action>
>   <map:redirect-to uri="access-denied.html"/>
> </map:match>
>
> Or is this how you have done it already? If so, forget this. Otherwise,
> comment! :)
>
> -Tuomo
>
> On Fri, 16 May 2003, Antonio Gallardo wrote:
>
>> Hi:
>>
>> Since we need to let more than one role to access the same resource. I
>> was re-reading the docs about the authentication framework.
>>
>> The new action will allow to check permision on a user basis stored
>> into the authentication context session.
>>
>> We build 5 tables into our database:
>>
>> auth_users       - The users that can use the application.
>> auth_roles       - Roles of the users.
>> auth_users-roles - Relation between users and roles.
>> auth_resources   - List of the protected resources
>> auth_permissions - Relationship between roles and resources.
>>
>> As you see from the tables, this allow:
>>
>> 1 user can have ONE OR MORE roles
>> 1 resource can be accessed by ONE OR MORE roles.
>>
>> THE NEW ACTION
>> It will get:
>> 1- The userid from the authentication session context, and
>> 2- The "requested resource" from the processed "request"
>>
>> Into the action we will do a simple SQL query that will find the
>> relation between the userid and the resource.
>>
>> If there is a resultSet the action will return a map. Else it will
>> return a NULL map, the action fails.
>>
>> ADMIN OF USERS, ROLES and RESOURCES
>> ===================================
>> Here will go into the play some forms that will take serve as database
>> interface to the tables:
>>
>> USERS FORMS:
>>
>> Add user and give them the roles,
>> Edit user including enable or disable user, edit roles of the users.
>> Delete user.
>>
>> RESOURCES FORMS:
>> Add resources and define the roles that can access this resources.
>> Edit resources, including enable/disable resources, edit defined roles
>> that access to the resource.
>> Delete resource
>>
>> ROLES:
>> Add role
>> Edit role, including enable/disable role.
>> Delete role.
>>
>> Well this is another use case for the authentication framework.
>>
>> What do you think about this approach, is this correct?
>> Is posible to create another scenario without creating another action?
>>
>> I also posted these intro here because maybe we can found an approach
>> to authenticate using LDAP or a Java class.
>>
>> Best Regards,
>>
>> Antonio Gallardo




Mime
View raw message