Apache » Cocoon »

  Cocoon Authentication

Cocoon Authentication 1.0


Cocoon is a great framework for writing web applications. Unfortunately there is no existing way to manage application configuration: a configuration that is global to your application. Of course there are several ways to do this, e.g. by defining parameters in the web.xml or by adding the configuration to some Spring or Avalon component or by providing your own configuration mechanism.

But in many cases, although you only have one web application from the servlet specification point of view, you might have several applications running in one single Cocoon instance at the same time. And of course each of these applications need their own configuration. For example, a portal needs some configuration about where the user profiles are stored, what layout to use etc. And inside the portal you have several Cocoon powered web applications (portlets) running.

Cocoon Auth offers the notion of an application with its own configuration. It's possible to configure several applications with different configurations. In addition an application is associated with authentication and authorization. It's possible to define if a user is required to login to use the application and to control the rights for a particular user (or depending on his role etc.).

Configuring the application

Before you can use an application, you have to tell Cocoon Auth about it. Technically, an application is a singleton component, so the configuration of an application takes place in a Spring configuration file.

Let's have a look at a simple application configuration:

<bean name="org.apache.cocoon.auth.Application/WebShop"
  <property name="securityHandler" ref="org.apache.cocoon.auth.SecurityHandler/shop-handler"/>
    ... Configuration for the application - if required

In the example above we define one application called WebShop. Each application must have a unique name that is later on used as a reference to this application. This name is defined in the name attribute and has to be prefixed with "org.apache.cocoon.auth.Application/". In addition an application is "secured" by a security handler which means, only users that are logged in using this handler are allowed to use this application. The configuration of an application takes the name of the security handler as a required property. Please see here for more information on security handlers.

Inside the application you can use custom properties for configuring your application.

If you don't need a special security handler in your application, configure the anonymous security handler.

Implementing your Application

Depending on your requirements, you can either use a predefined implementation for an application, or you can implement your own application object. Whatever you choose, the Java class must conform to the org.apache.cocoon.auth.Application interface.

Cocoon Auth comes with a standard implementation - org.apache.cocoon.auth.impl.StandardApplication - this implementation should suffice most use cases, have a look at the documentation of this class for more info.

If you want to use Cocoon Auth in combination with the Cocoon portal, you should use an application implementation that provides some functionality required by the portal. Cocoon Auth already comes with an implementation: org.apache.cocoon.auth.portal.StandardPortalApplication that you can use in combination with the group based profile manager of the Cocoon portal.

If you want to implement your own application, the best way is to choose an existing application (StandardApplication or StandardPortalApplication) and to extend it by subclassing.

Errors and Improvements? If you see any errors or potential improvements in this document please help us: View, Edit or comment on the latest development version (registration required).