> > Ah, philosophy :-) > > > Yupp! > > Ok, I think we reached a state where it's difficult to say who is right > and who is wrong. > > Personally, I think that the meaning of 'groups' and roles is mixed > somewhere in the servlet spec. *My* understanding is that a person > can be in several groups at a time but has at once time only exactly > one role. This understanding might be right or wrong, doesn't matter, > at least these are only words. > > > > > > 2. In your example, I think you're indicating that some roles > are 'larger' > > than others and that the larger ones contain the smaller ones. E.g. the > > rights of the following roles from broadest to narrowest. > > No, I didn't want to indicate that. Roles may be disjunctive (I hope this > is the right word).
Ok. That sounds like my second example. > > > If you need this list of possibilities, I would suggest to not use the > > > 'role' entry, but a 'roles' entry. The authentication framework > > > is flexible > > > and can handle this automatically. > > > > Right, <roles> was something I mentioned earlier but it already does so? > > That's news to me :-) How does it do so automatically? Where do I > > start/look? > > > When a user is in the process of being authenticated, the framework calls > the authentication pipeline of the handler. For a successful > authentication, > this pipeline returns the authentication XML. You can simple extend > this XML, so that it has an additional <roles> entry parallel to <role>. > So, you can return > <authentication> > <ID/> > <role/> <!-- still optional, but required by the portal framework --> > <roles>a,b,c</roles> > </authentication> Ok. I was putting it in the <data> section (the docs made me think that was required, I'm glad it's not). And the <roles> will still be accessible through the getxml() calls/tags. > > > So, the authentication framework fits nicely into the servlet > > > role handling. > > > > Uh, I think I missed a leap somewhere :-) > > > > Can you please give me a pointer on what you mean? Are you talking about > > returning <roles> inside <data> and then selecting it when > needed? Are you > > saying that it can implement Realm based security? You lost me, sorry. > > > So, in your authentication resource, you have to fill the <roles> entry, > this can be done by calling the servlet api and getting the roles > information > from there. > For testing against a role you have to write your own code/component. Right, that I got. In summary, to use the portal, I would need to stick to one role at a time (e.g. in <role>). I simply extend the notion of <roles> myself. Thanks for your time, Per --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>