cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Gallardo" <agalla...@agsoftware.dnsalias.com>
Subject [Authentication-fw] XSP Action to validate multiple roles.
Date Sun, 18 May 2003 20:28:28 GMT
Hi:

I write this XSP Action that combined with the database model is the first
draft in the resolution of the multiple roles. (see below)

I tried it and finally works!
The authorization just takes 12 ms using PostgreSQL.

Future enhancements:
At the authentication load the roles into the authentication session
context and instead of using a Database, check it directly. It would do it
more generic than now.

USAGE:

1-Declare XSP Actions in the sitemap:

<map:action name="xsp-action" logger="sitemap.action.xsp-action"
src="org.apache.cocoon.acting.ServerPagesAction"/>

2-Put the Action to work in some pipeline:

<map:match pattern="acerca.html">
  <map:act type="xsp-action" src="auth-control-access.xsp">
  <map:parameter name="handler" value="agshandler"/>
  <map:parameter name="auth_control" value="empleados"/>

    <!-- User is authorized -->
    <map:generate src="protected_resource.xml"/>
    <map:transform src="2html.xslt"/>
    <map:serialize/>
  </map:act>
  <!-- User not authorized -->
  <map:generate src="no_authorized.xml"/>
  <map:transform src="2html.xslt"/>
  <map:serialize/>
</map:match>

That is all!

Please review the initial part when I get the userID if this is correct. I
think we can use it instead of "auth-protect" Action.

Please send comments about this work :)

Best Regards,

Antonio Gallardo.

<!-- **************** auth-control-access.xsp ****** -->

<?xml version="1.0"?>

<!-- This action control the access to the resources. It support multiple
roles.
Author: Antonio Gallardo
Date: 17-May-2003

	1- Get parameter "auth_control" defined in the sitemap.
	2- Get the userID from the Authentication Manager.
	3- Execute SQL query.
	4- Check for results.
-->

<xsp:page language="java" xmlns:xsp="http://apache.org/xsp"
	xmlns:action="http://apache.org/cocoon/action/1.0"
	xmlns:esql="http://apache.org/cocoon/SQL/v2">

	<xsp:structure>
		<xsp:include>org.apache.cocoon.webapps.authentication.AuthenticationManager</xsp:include>
		<xsp:include>org.apache.cocoon.webapps.authentication.user.RequestState</xsp:include>
    </xsp:structure>

	<xsp:init-page>
		String currentUserId = null;
		String handlerName = null;
		String applicationName = null;
		String resourceKeyword = null;
		AuthenticationManager authManager = null;

	</xsp:init-page>

<dummypage>
	<xsp:logic>
		try {
			// Get parameters from the sitemap
			resourceKeyword = parameters.getParameter("auth_control", null);
			applicationName = parameters.getParameter("application", null);
			handlerName = parameters.getParameter("handler", null);

			/* Get the userID */
			try {
				authManager = (AuthenticationManager)
manager.lookup(AuthenticationManager.ROLE);
			} catch (ComponentException cme) {
				getLogger().error("Could not look up the authentication Manager", cme);
			}

			// do authentication
			if ( !authManager.checkAuthentication(actionRedirector, handlerName,
applicationName) ) {
				// All events are ignored
				// the sitemap.xsl ensures that only the redirect is processed
			} else {
				RequestState state = RequestState.getState();
				currentUserId = state.getHandler().getUserId();
			}
		}
		finally {
			manager.release( (Component)authManager );
		}
	</xsp:logic>
	<esql:connection>
    	<esql:pool>pla_pool</esql:pool>
		<esql:execute-query>
			<esql:query>
				SELECT res_key, usr_login
				FROM ((auth_resources NATURAL JOIN auth_permission) NATURAL JOIN
auth_roles) NATURAL JOIN (auth_users_roles NATURAL JOIN auth_users)
				WHERE res_enable=1 AND rol_enable=1 AND usr_enable=1
					AND res_key=<esql:parameter
type="string"><xsp:expr>resourceKeyword</xsp:expr></esql:parameter>
					AND auth_users.usr_id=<esql:parameter
type="string"><xsp:expr>currentUserId</xsp:expr></esql:parameter>
			</esql:query>
			<!-- mejora el rendimiento -->
			<esql:use-limit-clause/>
			<esql:skip-rows>0</esql:skip-rows>
			<esql:max-rows>1</esql:max-rows>
			<esql:results>
				<action:set-result name="authorized" value="true"/>
				<action:set-success/>
				<!-- <esql:row-results/> -->
			</esql:results>
			<esql:no-results>
				<action:set-failure/>
			</esql:no-results>
			<esql:error-results>
				<action:set-failure/>
			</esql:error-results>
		</esql:execute-query>
	</esql:connection>
</dummypage>

</xsp:page>



Mime
View raw message