hassan abolhassani wrote:
Hi all,
I have some concerns and would like to share with you. Sorry if these has already been discussed or sounds non-sense. Anyway, I will be glad to hear your voices (I am not in the dev list, so please in case you post a reply send me a copy too).
1- I know that Cocoon provides different facilities for Authentication and protecting pipelines. However, I think it is possible to further simplify it. Suppose we add an attribute to <map:pipline> for example 'protected' tag like:
<map:pipeline protected="yes">
...
</map:pipeline>
Seeing this and having a global definition of the authentication configurations as well as the action in case authentication fails, one may have easier way to add authentication.
You can do the same now essentially with <map:pipeline> <map:match type="xxx"> ... pipeline as before </map:match> </map:pipeline>
where the wrapping matcher checks your login state. I wrote a 30 second matcher which checks your container managed authentication state (against a role, for example) and it works like a charm. Matchers can be nested - we're used to seeing them one per "pipeline" (in the Generator-[Transformer]*-Serializer sense) but they work great in this case as well.
This is very interesting. IMO one thing that I'd like to see is a quick and easy way of protecting a URL using something similar to using an .htaccess file and using basic HTTP authentication. Unfortuantely I think this would be the role of the servlet container, and I don't know if this would work any way with the CLI.
Again, a matcher to do that would be pretty simple. You could even probably use a 401 error code to force basic authentication without configuring it in web.xml.
Geoff
