cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Armaz Mellati" <>
Subject RE: Authentication puzzle
Date Wed, 10 Jan 2007 10:24:28 GMT

May I ask you what version av Cocoon you are using? I ask because the documentation you are
refering to is somewhat outdated if you
are using 1.2.10 (may be even for 1.2.9). 
I found out that in version 1.2.10 Cocoon is set up to use the new CoWarp authetication framwork
(Which is a better one). But things
are different when using that. If you look at your cocoon.xconf, you can find the following
"If you want to use the authentication framework, comment out the above line and uncomment
the following line:" 

Hope this helps.


> -----Original Message-----
> From: Peter Flynn [] 
> Sent: Wednesday, January 10, 2007 10:42 AM
> To:
> Subject: Re: Authentication puzzle
> Steven D. Majewski wrote:
> > My understanding is that the Authentication Framework is just a 
> > framework -- it doesn't itself do any authentication or 
> > encryption/decryption of passwords.
> I understand that it doesn't do any authentication: that's 
> what I wrote the little XML and XSLT files for: to output the 
> format specified in the doc at 
> I did, however, expect it to pass the password in crypt(3) 
> form, but that's not important for now.
> > It manages protected resources and restricts them to authenticated 
> > users. ( Because typically sites will want to plug in different 
> > authentication mechanisms. )
> Yes, that much I'm happy with. I'll eventually want this to 
> authenticate against Active Directory or an LDAP server.
> > I'm not clear on what you're trying to do. Are you doing 
> trying to do 
> > HTTP Basic Authentication ?
> For now I just want to authenticate using the little file I 
> posted, which provides a username and password per user that 
> I can match against locally.
> I'm not sure what "HTTP Basic Authentication" is (unless it's 
> like the method used by regular Apache httpd for web 
> passwords -- but that *does* use crypt(3)). I'm using the 
> file system: my auth.xml and auth.xsl with the 
> parameter_username and parameter_password as per the document 
> image in 
>        <map:match pattern="login">
> 	<map:generate src="auth.xml"/>
> 	<map:transform src="auth.xsl" type="xslt">
> 	  <map:parameter name="use-request-parameters" value="true"/>
>          </map:transform>
> 	<map:serialize type="xml"/>
>        </map:match>
> > And I'm not sure what you mean by "required crypt(3)" - 
> required by whom ?
> Me. I assumed (obviously wrongly) that Cocoon would handle 
> the encryption of the password. No matter -- for the moment I 
> don't care; but the problem still stands in that it isn't 
> coming back with authentication when I provide the right 
> userid/password pair in Cocoon, but it *does* provide the 
> specified output if I perform the same action from the shell 
> commandline using Saxon.
> > HTTP  Basic Authentication sends  the bas64 encoding of 
> "user:password"  
> > They aren't encrypted.
> Base64? Ewww. So if I store the userid and password in my XML 
> disk file in base64 encoding they should be matched?
> > ( But if you're trying to port users from an Apache 
> .htpasswd file , 
> > then THOSE entries are encrypted with crypt(3). That was my problem 
> > and I found and adapted a javascript version of crypt. )
> No, I wasn't trying to use those: I just assumed the concept 
> would be the same, only performed by my XML file and its XSLT 
> procedure.
> The documentation is missing this vital information in that case.
> Has anyone ever implemented a small test case where 
> authentication is performed by a component which just runs 
> XSLT over XML and matches the passed userid/password 
> parameters with values in the XML file, and returns the 
> format specified in the Cocoon doc at 
> ///Peter
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message