Hi Michiel, thank you for the quick answer. Comments:
> I would indeed make sure that images are readable for > 'anonymous'. Then you don't need a to supply credentials to > ImageServlet, because it uses a 'anonymous' user then. Ok, so I should leave every image world-readable. This is reasonable, but how can I do that? Images are created by different mmbase users (content authors), so their owner is set to the security context of the user that has created them. I can't give anonymous read access to -all of those- security contexts, so I was thinking of setting every image 'owner' field to 'imagesmodule' because it has anoymous access, but I don't know how to do it properly, this is, change the owner to 'imagesmodule' each time a user creates an object of type 'image'. Using a custom function for that nodebuilder? Any sample? If not, how can I change the owner from code? I could add a process that 'makes world-readable' a set of selected images... > If you have images which should not be world-readable then > currently the only way to use ImageServlet is to have a cloud > in the session. (See e.g. how <mm:image /> works in a > logged-in page). The idea is that is it no problem if > authorized users use the session. Good solution, but it's a portal with anoymous visitors so I think I can't take that approach because the credentials supplied have administrative rights (needed to be able to retrieve -any- required info). I could use a 'restricted user' instead, and put it on session. But that's really the purpose of the built-in 'anonymous', isn't it? > There is no way to supply credentials directly to > ImageServlet. It would perhaps be an idea to make > ImageServlet try 'class security' as well, because then you > can in that way easily configure that images are always > viewable, regardless of security settings which could > simplify setting up security somewhat. > > I hope this answers you question, since I doubt if I > understood you problem.. Oh yes, you really understood the problem. --- Anyway, how does people cope with this same problem in real MMBase installations with anonymous visitors (like portals)?? Did anybody have the same problem? Thank you again.
