Vadim Gritsenko wrote: <snip/>
>>>The main problem, I think, is that HTTP requests on their own do not >>>have the concept a user built into it, which is necessary to perform >>>user-based access control. >>> >>They have, see (ftp://ftp.isi.edu/in-notes/rfc2617.txt), for all the >>technical details ;). But it depends on that the browser takes care of >>the protocol, which leads to: gray box pop-ups. >> > >As you mentioned before: form-based login. IIRC, servlet spec describes >it in details. Only thing Cocoon needs is may be an action to establish >user credentials in the servlet container once this form is submitted. > <snip/> But the servlet spec doesn't allow a servlet to set the user credentials in the container. A thing I already though of about request locale : as Cocoon abstracts the environment, couldn't we "open" the request interface by adding setter methods that allows wrappers to return values set by Cocoon. To be clear : in Environment : Principal getUserPrincipal(); setUserPrincipal(Principal user); in HttpEnvironment : Principal userPrincipal = null; public void setUserPrincipal(Principal p) { this.userPrincipal = p; } public Principal getUserPrincipal() { if (this.userPrincipal == null) { return this.userPrincipal; } else { return this.httpRequest.getUserPrincipal(); } } This would allow Action-based authenticator to set the User transparently to other components. The same could apply to getLocale(), which could be overriden by the LocaleAction. Another way to make these things transparent to other components is to replace the request in the object model, but I've been told that tweaking the object model is bad ;) Thoughts ? Sylvain -- Sylvain Wallez Anyware Technologies - http://www.anyware-tech.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
