cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Stevens" <>
Subject Re: Restrict access to parts of sitemap
Date Fri, 21 Jul 2006 09:25:28 GMT
>From: Thomas Soddemann <>
>Date: Thu, 20 Jul 2006 13:57:42 -0600
>Andrew Stevens wrote:
>>Another possibility - you could always use the J2EE container-provided 
>>security and add a security-constraint to your web.xml for 
>><url-pattern>/buildindex</url-pattern>.  That might be simpler than 
>>learning the authentication framework or acegi if don't need to 
>>authenticate users in the rest of your site.
>Hi Andrew,
>what do you mean by "if [you] don't need to authenticate ..."?

Only that if you did have such a need, then for a full-blown authentication 
& authorisation solution the other mechanisms generally get mentioned here 
on the lists in preference to the J2EE security; if you didn't have that 
requirement, the standard J2EE mechanism may be quicker to get up & running 
than learning some other new method.  Of course, if you're using 
authentication on the rest of your site anyway, you could just use that 
mechanism to restrict the buildindex page to your own account.

>The remoteUser property is set in the HttpRequest if a user is 
>authenticated and can e.g. be used for authorization (apart from the 
>configurational authorization you have already mentioned).

It may depend on the container you're using, but in general I've found that 
even after logging in getRemoteUser returns null unless it's a request for a 
protected page (i.e. it's covered by a security constraint) in which case 
you'll probably have a role specified anyway.

>Depending on the security modul employed, additional informations are 
>"shipped" with each HttpRequest or set in the session.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message