Per Kreipke wrote: > > Ah, philosophy :-) > Yupp! Ok, I think we reached a state where it's difficult to say who is right and who is wrong.
Personally, I think that the meaning of 'groups' and roles is mixed somewhere in the servlet spec. *My* understanding is that a person can be in several groups at a time but has at once time only exactly one role. This understanding might be right or wrong, doesn't matter, at least these are only words. > > 2. In your example, I think you're indicating that some roles are 'larger' > than others and that the larger ones contain the smaller ones. E.g. the > rights of the following roles from broadest to narrowest. No, I didn't want to indicate that. Roles may be disjunctive (I hope this is the right word). > > > If you need this list of possibilities, I would suggest to not use the > > 'role' entry, but a 'roles' entry. The authentication framework > > is flexible > > and can handle this automatically. > > Right, <roles> was something I mentioned earlier but it already does so? > That's news to me :-) How does it do so automatically? Where do I > start/look? > When a user is in the process of being authenticated, the framework calls the authentication pipeline of the handler. For a successful authentication, this pipeline returns the authentication XML. You can simple extend this XML, so that it has an additional <roles> entry parallel to <role>. So, you can return <authentication> <ID/> <role/> <!-- still optional, but required by the portal framework --> <roles>a,b,c</roles> </authentication> > > > So, the authentication framework fits nicely into the servlet > > role handling. > > Uh, I think I missed a leap somewhere :-) > > Can you please give me a pointer on what you mean? Are you talking about > returning <roles> inside <data> and then selecting it when needed? Are you > saying that it can implement Realm based security? You lost me, sorry. > So, in your authentication resource, you have to fill the <roles> entry, this can be done by calling the servlet api and getting the roles information from there. For testing against a role you have to write your own code/component. Carsten --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>
