Ignacio Renuncio wrote: > Now, the problem is: > > The user/pass info is stored in a config file which is used by the Java code > to retrieve the nodes and its fields.
Btw, you could try 'classsecurity', an 1.8 feature, but can be build for 1.7 too (I can provide mmbase-classsecurity.jar). That would be a generic way to arrange this. > > So I think it's only valid for the JSP pages that use -that cloud handle-, > but not for the IMG SRC ImageServlet servlet request (done from the client > browser). > > If I store the login credentials in session, any anoymous visitor could get > into the MMBase installation without login. I don't want that at all. > > If not, how can I pass the 'cloud' handle to the ImageServlet? Or should I > pass user/password info? How? Should I use the "anonymous" user in MMBase to > get the images for the portal? Should I use a special user? I would indeed make sure that images are readable for 'anonymous'. Then you don't need a to supply credentials to ImageServlet, because it uses a 'anonymous' user then. If you have images which should not be world-readable then currently the only way to use ImageServlet is to have a cloud in the session. (See e.g. how <mm:image /> works in a logged-in page). The idea is that is it no problem if authorized users use the session. There is no way to supply credentials directly to ImageServlet. It would perhaps be an idea to make ImageServlet try 'class security' as well, because then you can in that way easily configure that images are always viewable, regardless of security settings which could simplify setting up security somewhat. I hope this answers you question, since I doubt if I understood you problem.. Michiel -- Michiel Meeuwissen mihxil' Mediacentrum 140 H'sum [] () +31 (0)35 6772979 nl_NL eo_XX en_US
