cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralph Goers <>
Subject RE: Authentication and Autorization
Date Tue, 09 Dec 2003 15:51:08 GMT
You should investigate the authentication framework block before you go too
far down the road.  It provides much of the functionality you are looking
for.  We have just completed integrating Cocoon's authorization framework
with JAAS and had to write to components to do it. The first component is
authentication generator to perform the authentication and return the
required XML to the framework, along with the data to be associated with the
user. The generator creates an object which actually performs the
authentication. This object is saved in the session for later use. 

The second component is a PermissionSelector which is very similar to the
ExceptionSelector. When configuring the selector you define the permissions
that can be checked and then the selector actually checks to see if the end
user has the requested permission. The selector uses the object saved in the
session by the generator to do the permission check.


> -----Original Message-----
> From: Gianluca Sartori []
> Sent: Tuesday, December 09, 2003 7:08 AM
> To:
> Subject: Authentication and Autorization
> Hi all,
> 	I'm adapting an authentication/authorization system we 
> are using within
> normal JSP/servet pages. It consists of a simple class which must be
> instantiated at the beginning of the page. It knows where to redirect
> the user for authentication and within the JSP/Servlet you can use its
> methods to get user information such as the username, fullname,
> telephone, etc.
> What's the best place to incapsulate the funcionalities 
> provided by this
> class? I'm buiding an action for authentication purposes and I plan to
> develop a logicsheet to incapsulate authorization primitives so I can
> declaratively decide whether to make available some data or not
> depending on the current user role.
> Is this the way to go? I thought about incapsulate my class into an
> action, but this way I don't know how to take authorization decisions.
> For example I need one "edit" link if the user has the "Editors" role,
> but none if s/he has the "User" role. I don't want to create two
> different pages for this.
> Any help?
> Thanks,
> Gianluca
> -- 
> Gianluca Sartori                     ELIS - SIE - Software Development
> Via Sandro Sandri, 81                         (tel) +39
> 00159 Rome - Italy                            (fax) +39
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message