cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Gallardo" <>
Subject [Authentication-fw] XSP Action to validate multiple roles.
Date Sun, 18 May 2003 20:28:28 GMT

I write this XSP Action that combined with the database model is the first
draft in the resolution of the multiple roles. (see below)

I tried it and finally works!
The authorization just takes 12 ms using PostgreSQL.

Future enhancements:
At the authentication load the roles into the authentication session
context and instead of using a Database, check it directly. It would do it
more generic than now.


1-Declare XSP Actions in the sitemap:

<map:action name="xsp-action" logger="sitemap.action.xsp-action"

2-Put the Action to work in some pipeline:

<map:match pattern="acerca.html">
  <map:act type="xsp-action" src="auth-control-access.xsp">
  <map:parameter name="handler" value="agshandler"/>
  <map:parameter name="auth_control" value="empleados"/>

    <!-- User is authorized -->
    <map:generate src="protected_resource.xml"/>
    <map:transform src="2html.xslt"/>
  <!-- User not authorized -->
  <map:generate src="no_authorized.xml"/>
  <map:transform src="2html.xslt"/>

That is all!

Please review the initial part when I get the userID if this is correct. I
think we can use it instead of "auth-protect" Action.

Please send comments about this work :)

Best Regards,

Antonio Gallardo.

<!-- **************** auth-control-access.xsp ****** -->

<?xml version="1.0"?>

<!-- This action control the access to the resources. It support multiple
Author: Antonio Gallardo
Date: 17-May-2003

	1- Get parameter "auth_control" defined in the sitemap.
	2- Get the userID from the Authentication Manager.
	3- Execute SQL query.
	4- Check for results.

<xsp:page language="java" xmlns:xsp=""


		String currentUserId = null;
		String handlerName = null;
		String applicationName = null;
		String resourceKeyword = null;
		AuthenticationManager authManager = null;


		try {
			// Get parameters from the sitemap
			resourceKeyword = parameters.getParameter("auth_control", null);
			applicationName = parameters.getParameter("application", null);
			handlerName = parameters.getParameter("handler", null);

			/* Get the userID */
			try {
				authManager = (AuthenticationManager)
			} catch (ComponentException cme) {
				getLogger().error("Could not look up the authentication Manager", cme);

			// do authentication
			if ( !authManager.checkAuthentication(actionRedirector, handlerName,
applicationName) ) {
				// All events are ignored
				// the sitemap.xsl ensures that only the redirect is processed
			} else {
				RequestState state = RequestState.getState();
				currentUserId = state.getHandler().getUserId();
		finally {
			manager.release( (Component)authManager );
				SELECT res_key, usr_login
				FROM ((auth_resources NATURAL JOIN auth_permission) NATURAL JOIN
auth_roles) NATURAL JOIN (auth_users_roles NATURAL JOIN auth_users)
				WHERE res_enable=1 AND rol_enable=1 AND usr_enable=1
					AND res_key=<esql:parameter
					AND auth_users.usr_id=<esql:parameter
			<!-- mejora el rendimiento -->
				<action:set-result name="authorized" value="true"/>
				<!-- <esql:row-results/> -->


View raw message