cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Ziegeler" <>
Subject RE: [Q] SunRise roles?
Date Fri, 16 Aug 2002 08:19:27 GMT
Per Kreipke wrote:
> Ah, philosophy :-)

Ok, I think we reached a state where it's difficult to say who is right
and who is wrong.

Personally, I think that the meaning of 'groups' and roles is mixed
somewhere in the servlet spec. *My* understanding is that a person
can be in several groups at a time but has at once time only exactly
one role. This understanding might be right or wrong, doesn't matter,
at least these are only words.

> 2. In your example, I think you're indicating that some roles are 'larger'
> than others and that the larger ones contain the smaller ones. E.g. the
> rights of the following roles from broadest to narrowest.

No, I didn't want to indicate that. Roles may be disjunctive (I hope this
is the right word).

> > If you need this list of possibilities, I would suggest to not use the
> > 'role' entry, but a 'roles' entry. The authentication framework
> > is flexible
> > and can handle this automatically.
> Right, <roles> was something I mentioned earlier but it already does so?
> That's news to me :-) How does it do so automatically? Where do I
> start/look?
When a user is in the process of being authenticated, the framework calls
the authentication pipeline of the handler. For a successful authentication,
this pipeline returns the authentication XML. You can simple extend
this XML, so that it has an additional <roles> entry parallel to <role>.
So, you can return
   <role/> <!-- still optional, but required by the portal framework -->

> > So, the authentication framework fits nicely into the servlet
> > role handling.
> Uh, I think I missed a leap somewhere :-)
> Can you please give me a pointer on what you mean? Are you talking about
> returning <roles> inside <data> and then selecting it when needed? Are you
> saying that it can implement Realm based security? You lost me, sorry.
So, in your authentication resource, you have to fill the <roles> entry,
this can be done by calling the servlet api and getting the roles
from there.
For testing against a role you have to write your own code/component.


Please check that your question  has not already been answered in the
FAQ before posting.     <>

To unsubscribe, e-mail:     <>
For additional commands, e-mail:   <>

View raw message