cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tuomo L <>
Subject Re: Authentication framework - A new Action for multiple roles.
Date Sat, 17 May 2003 14:31:31 GMT
Hi Antonio,

Would it be better to have the resources as "keywords" than as sitemap
resources? If you have them as sitemap resources (ex. "../foo/bar.html"),
then they are defined two times: in sitemap and in the database table.
If the structure of the site changes (new subdirs etc.) then one needs
to update the database also. The mapping of the keywords could be done
in the sitemap by feeding the action with the keyword:

<map:match pattern="protected.html">
  <map:action type="multiple-role-auth-action">
    <map:parameter name="resource" value="foobar"/>
    <map:generate src="protected.xml"/>
  <map:redirect-to uri="access-denied.html"/>

Or is this how you have done it already? If so, forget this. Otherwise,
comment! :)


On Fri, 16 May 2003, Antonio Gallardo wrote:

> Hi:
> Since we need to let more than one role to access the same resource. I was
> re-reading the docs about the authentication framework.
> The new action will allow to check permision on a user basis stored into
> the authentication context session.
> We build 5 tables into our database:
> auth_users       - The users that can use the application.
> auth_roles       - Roles of the users.
> auth_users-roles - Relation between users and roles.
> auth_resources   - List of the protected resources
> auth_permissions - Relationship between roles and resources.
> As you see from the tables, this allow:
> 1 user can have ONE OR MORE roles
> 1 resource can be accessed by ONE OR MORE roles.
> It will get:
> 1- The userid from the authentication session context, and
> 2- The "requested resource" from the processed "request"
> Into the action we will do a simple SQL query that will find the relation
> between the userid and the resource.
> If there is a resultSet the action will return a map. Else it will return
> a NULL map, the action fails.
> ===================================
> Here will go into the play some forms that will take serve as database
> interface to the tables:
> Add user and give them the roles,
> Edit user including enable or disable user, edit roles of the users.
> Delete user.
> Add resources and define the roles that can access this resources.
> Edit resources, including enable/disable resources, edit defined roles
> that access to the resource.
> Delete resource
> Add role
> Edit role, including enable/disable role.
> Delete role.
> Well this is another use case for the authentication framework.
> What do you think about this approach, is this correct?
> Is posible to create another scenario without creating another action?
> I also posted these intro here because maybe we can found an approach to
> authenticate using LDAP or a Java class.
> Best Regards,
> Antonio Gallardo

View raw message