cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Collen <>
Subject Re: Image-Based Authentication (Was: Re: [proposal] Doco)
Date Wed, 29 Oct 2003 17:17:03 GMT
Torsten Curdt wrote:
>> I spent an afternoon implementing it. It's a complicated beast, and it 
>> uses the intercepted flowscript in a big huge ugly hack... BUT... it 
>> works, which makes me happy :)  Check it out at [1] -- please go easy 
>> on it since this is my personal box at home and on my cablemodem.  I 
>> will clean it up and add it to the samples once I get my CVS problems 
>> straightened out.
> very cool ...but why was the intercepted flowscript necessary here?

To be honest, I couldn't get it to work with "regular" FS, so I used a brute force way of
getting it 
to work. It's ugly, and there's probably a simpler way of doing it -- in fact... PLEASE find
better way of doing it :)

Let me see if I can explain, since I don't have my code here with me right now.

<map:match pattern="">
   <map:call function="main"/>

function main() {
   var secret = generateSecret();

   while (true) {

      if (cocoon.request.get("secret") == secret) {


The problem comes in when we need to generate an image based off the same continuation ID
that we 
get from the first sendPageAndWait.  For instance, say we have the following pipeline to generate
image, and we want the requested image to actually be the continuation ID.

<map:match pattern="auth/*.jpg">
    <map:call continuation="{1}"/>

Ok, simple enough, but then the problem is that once we jump back into the continuation (which
the same as the one we get from the first sendPageAndWait), how do we know that we should
be serving 
an image instead of letting the loop continue?  If we use intercepted flow, we can check for

Changing the above snippet to:

<map:match pattern="auth/*.jpg">
   <map:call continuation="{1}">
     <!-- bigass hack  -->
     <map:parameter name="msg" value="doImage"/>

Then we write the interceptions for the main() method above:

// callbacks.js
function main() {
   continueExecution(): {
      if (cocoon.parameters.msg == "doImage") {
         cocoon.sendPage("internal/" + secret + ".jpg");

This is probably breaking some sort of good design practice... it's already approaching spaghetti

code status ;)

Anyway, whenever the continuation is restarted, continueExecution() is run, and we obviously
to see if we're getting a parameter named msg with a value of doImage, and if so, we sendPage
to a 
secret url that actually generates the image:

<!-- this would most likely be in an internal-only pipeline -->

<map:match pattern="internal/*.jpg">
   <map:generate src="docs/foo.xml"/>
   <map:transform src="xslt/foo2svg.xsl">
     <map:parameter name="secret" value="{1}"/>
   <map:serialize type="svg2jpeg"/>

Pretty self-explanatory... here we just pass the wildcard match to the XSLT which in turn
adds the 
appropriate <svg:text> element with the secret code.  There's a lot of little details
missing here 
since I don't have all the stuff in front of me.  There has to be a much much simpler way
of doing 
this, while also obscuring the URL of the image to generate.  Using continuation ID's seemed
most straightforward way to me, but it ended up also being quite complex.



View raw message