CALL FOR: Improvements on ImageServlet
Called by: Michiel Meeuwissen Total tally on this call : +7
START OF VOTING: 2004-10-05 22:00 END OF CALL: 2004-10-08 22:00
YEA (7) : Rob van Maris, Gerard van Enk, Kees Jongenburger, Rico Jansen, Daniel Ockeloen, Pierre van Rooden, Ernst Bunders
ABSTAIN (0) :
NAY (0) :
VETO (0) :
No votes, assumed abstained (8): Eduard Witteveen, Jaco de Groot, Marcel Maatkamp, Andre van Toly,
Johannes Verelst, Rob Vermeulen, Nico Klasens, Mark Huijser
Result: the vote succeeded, the hack can be added.
Michiel Meeuwissen wrote:
In the optimalization project meeting of today we have decided that JamesServlet and extensions can be moved to the 'scan application' (if at least the vote succeeds).
The most noticeable extension of JamesServlet is servdb, which can (among others) serve the bytes of image nodes and attachments.
An alternative for this functionality are ImageServlet and AttachentServlet (extensions of MMBaseServlet).
Currently there are a few fundamental differences between servdb and those MMBaseServlet extensions:
1. ImageServlet does not accept transformation templates on the URL. 2. These servlet use bridge, and therefore security. Especially to check for read-rights. Servdb does not.
The first issue could be considered a good thing, but since servdb could do it, and that one will be dropped (moved to scan which is nearly the same..), I implemented an alternative in ImageServlet. This behavior is configurable though, by an init-parameter of the Servlet in web.xml
<init-param> <param-name>convert</param-name> <param-value>true</param-value> </init-param>
This 'convert' parameter defaults to false, when not set at all. I'll add it to the default web.xml (also set to false), do document it.
The second issue is also a good thing, but sometimes you may want to bypass security for such servlets. E.g. because it would be cumbersome to configure security right.
As suggested in the thread "Images and users/permissions" of sept 28, it may be a nice idea if such servlets could profit from the 1.8 feature 'class security'.
So I implemented this, because this can also practicly take away this second difference between servdb and ImagesServlet/AttachmentServlet.
If you add <authenticate class="org\.mmbase\.servlet\.ImageServlet">
<property name="username" value="admin" />
</authenticate>
to classauthentication.xml then ImageServlet will receive admin rights if a it tries to serve in image which is not readable by anonymous.
While being at it, I added a last improvement to these servlets. This improvement is actually unrelated to servdb. In 1.8 you can easily define 'lastmodified' field, which will automaticly be filled with the time of last modification (see fieldtypedefinitions.xml). Since these servlets do basicly serve one node, it would be nice if they could use this field, to fill in the LastModified HTTP header of the response.
In the offered implementation this can be trigged with the init-parameter: <init-param> <param-name>lastmodifiedfield</param-name> <param-value>lastmodified</param-value> </init-param> (on ImageServlet and AttachmentServlet).
The configured field (if set, and not set to empty string) will be used to determin the last-modified header. Sadly - if you are going to check it out - it does not work yet for icaches, but that is because the lastmodified field is not filled in those (an issue for the field-types project).
To reach the above goals, I added a few (protected) methods to BridgeServlet, HandleServlet, ImageServlet and AttachmentServlet. Also I changed the prototypes of a few methods:
final protected Cloud getCloud(HttpServletRequest req, HttpServletResponse res, QueryParts qp) throws IOException { becomes: final protected Cloud getCloud(QueryParts qp) throws IOException {
final protected Node getNode(HttpServletRequest req, HttpServletResponse res) throws IOException { becomes: final protected Node getNode(QueryParts query) throws IOException {
and: protected boolean setContent(HttpServletRequest req, HttpServletResponse res, Node node, String mimeType) throws IOException { becomes protected boolean setContent(QueryParts query, Node node, String mimeType) throws IOException {
This simplified implementations, and makes it possible to avoid all overhead (e.g. if the icache node is alreayd determined in the setLastModified method, you don't want to do that again in doGet itself). These changes are not actually backwards compatible with existing 3rd party extensions of one of these servlets, but those would be easy to fix. I don't know if such extensions exist, and if so, if they indeed call these methods (most were final, so could not be overridden). If this is important to someone deprecated old-style methods could be added.
I offer the described improvements as a HACK to the 1.8 branch of MMBase. The involved classes are attached.
-- Pierre van Rooden Mediapark, C 107 tel. +31 (0)35 6772815 "Never summon anything bigger than your head."
