I'm currently using that block, and wrote a pipeline that simply puts the request.getUserPrincipal().getName() (or whatever the API call is exactly) to authenticate a user (well, the user is already authenticated but it lets the authentication framework know that the user is authenticated). That works fine.
I also know that I can protect documents with that framework, but how can I specify that only users with a specific role can view that document (pipeline)? Do I need to write my own sitemap components for that (e.g. an action)? Bart. > -----Original Message----- > From: Carsten Ziegeler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 21, 2004 3:52 PM > To: [EMAIL PROTECTED] > Subject: RE: Cocoon and security (JAAS or J2EE??) > > Bart Molenkamp wrote: > > > > > Hi all, > > > > I've been looking for a good method of securing Cocoon web > > applications. > > I think that authentication/authorization via JAAS or via the > > web container are good methods. Are there any implementations > > available that integrate Cocoon and these security mechanisms? > > > > And if so, what are the possibilities of declarative security > > and authorisation in sitemaps? E.g. declaring that a pipeline > > can only be executed by users with a specific role? > > > You could use the authentication-fw block and write an own > Authenticator for it. The authenticator is the connection > between your Cocoon application and the used security mechanism. > > I think a time ago there were some guys that have developed > such an Authenticator - at least I think I saw it on the users > list. > > Anyways, writing such an Authenticator is really simple. Once > you have done this, you can configure it using the authentication > framework and can then use declarative security in your sitemap > (or in flow). You can test, if the user is authenticated, if > he is in a role etc. > > HTH > Carsten
