cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ulrich Mayring <>
Subject Re: Protecting Binary Files
Date Thu, 21 Dec 2000 18:43:58 GMT
Robin Green wrote:
> Personally, I used a servlet for a similar task. There is little to no
> advantage in using Cocoon for that anyway.

cocoon is a servlet as well and each XSP page using the auth taglib can
be considered a servlet. So using a servlet is technically not very
different from using auth, the question is whether to do it inside the
cocoon framework or not.

Some advantages of doing it inside cocoon with auth are:

- Protection information is stored in the XML files themselves, so you
don't have to restart a servlet server, if you make changes. Plus you
abstract security information from storage location - webservers can
only protect what is accessible via HTTP and an URL and a custom servlet
usually depends on a database or the filesystem being there.

- Since auth manages and executes authentication at the level of XML
files, you can write a front-end for it (for example using the fp
taglib) and let users manage parts of security themselves. Does this
sound scary? Not really, in fact it improves security. Consider the case
of the fp taglib. If you allow your users to write to XML files with it,
then you need to set the filesystem permissions for this XML file to
world-writable (the world being your users). One user could therefore
modify another's XML file. If you offer a front-end, however, then your
users can insert protection directives themselves. Or you can
programmatically insert standard protection directives. The file will
still be world-writable in the filesystem, but not fp-writable anymore.
Unless the user authenticates first.


Ulrich Mayring
DENIC eG, Systementwicklung

View raw message