Authorisation Actions

Note that the following is not the strongest method of preventing unauthorised access. The Paloose authorisation framework is only very loosely based on Cocoon so it is important to read the following carefully if you want to use this facility. Please read the Cocoon documentation on authentication as it is a useful background (it is much better than mine anyway).

The authorisation actions provide a mechanism to protect the sitemap pipeline and restrict use to only those requests that have been authorised. There are three main components, AuthAction, AuthAction and AuthAction. They are defined as components as follows:

<actions> <map:action name="auth-protect" src="resource://lib/acting/AuthAction"/> <map:action name="auth-login" src="resource://lib/acting/LoginAction"/> <map:action name="auth-logout" src="resource://lib/acting/LogoutAction"/> </actions>

Authorisation Example

It is best to show an example of how to use these to explain their operation. Take a simple system of log-in to restrict certain users to administration areas. Consider a simple site with the following directory structure:

We would like to protect all the pages within the admin directory. Assuming a sub-sitemap in the admin directory with the above actions declared. The whole process falls into several stages:

Authorisation Handler

The authorisation is controlled using a handler defined within the pipelines declaration. In the example we might have:

<map:pipelines> <map:component-configurations> <map:authentication-manager> <map:handlers> <map:handler name="adminHandler"> <!-- Run this if the user needs login --> <map:redirect-to uri="cocoon:/login"/> <!-- The pipeline used to authenticate the user --> <map:authentication uri="cocoon:/authenticate-user.html" /> </map:handler> </map:handlers> </map:authentication-manager> </map:component-configurations>

Like Cocoon it is possible to have several handlers to run different authorisation schemes for different documents. In the code above the handler adminHandler has an authentication mechanism invoked by calling (internally) the URI cocoon:/authenticate-user.html, which is matched to a pipeline within the current sitemap. If the user is authorised then the handler allows access to proceed. If not the use is redirected to the login process accessed using cocoon:/login, again within the current sitemap. Note that there is no application management in Paloose.

Protecting Individual Pages

In order to protect a request page we have to associate it with the adminHandler handler above. We do this by using the action auth-protect which was previously declared in the components section of the sitemap. The auth-protect action takes a single parameter defining the handler to use (adminHandler).

<map:match pattern="**.html"> <map:act type="auth-protect"> <map:parameter name="handler" value="adminHandler"/> <map:aggregate element="root" > <map:part ..../> </map:aggregate> <map:call resource="outputPage"/> </map:act> </map:match>

In this case if the user is authorised (using the handler) to see all html pages matched in this sitemap then the pipeline will be processed as normal (aggregate, call etc). The following illustrates the relationship of the code above:

The next section deals with the actual authorising mechanism.

Copyright 2006 – 2017 Hugh Field-Richards. All Rights Reserved.