Skip to main content

Cocoon authentication

This article will guide you through the steps showing how to use the Authentication Framework in a Cocoon 2.2 application.
  1. Maven dependencies.
  2. Spring configuration.
  3. Sitemap.
  4. Login page and controls.
Maven dependencies
You need the following dependency in your pom.xml:
<dependency>
  <groupId>org.apache.cocoon</groupId>
  <artifactId>cocoon-auth-impl</artifactId>
  <version>1.0.0</version>
</dependency>

Spring configuration
Authentication Framework has a flexible configuration based on a concepts of applications and security handlers. There can be several applications defined and running at the same that are simply independent security zones of your web application. The security details of an application are specified using a security handler. There are several implementations provided and you're free to implement your own. Here is the SimpleSecurityHandler used that takes the hardcoded credentials:
<?xml version="1.0"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
       http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">

  <!-- This is a simple security handler -->
  <bean name="org.apache.cocoon.auth.SecurityHandler/handler"
        class="org.apache.cocoon.auth.impl.SimpleSecurityHandler">
    <property name="userProperties">
      <value>
        admin=password
      </value>
    </property>
  </bean>

  <!-- This is the standard application -->
  <bean name="org.apache.cocoon.auth.Application/myapp"
        class="org.apache.cocoon.auth.impl.StandardApplication">
    <property name="securityHandler" ref="org.apache.cocoon.auth.SecurityHandler/handler"/>
  </bean>
</beans>
You can protect your functionality with authentication using different ways. Below is the most straightforward way represented using the protected URI space that requires authentication.

Sitemap
Below are two pipelines managing the authentication process and the protected functionality. The pipeline delete/item is made internal-only, so it can be externally accessed only via the protected area: protected/delete/item. The request parameter destination is used to redirect back to the protected area once a user passes the authentication successfully.
<map:pipeline id="authentication">
  <!-- Simple login page -->
  <map:match pattern="login">
    <!-- if we are already logged in, redirect to destination -->
    <map:act type="cauth-is-logged-in">
      <map:parameter name="application" value="search"/>
      <map:redirect-to uri="{request-param:destination}"/>
    </map:act>
    <map:generate src="cocoon:/page/login.jx"/>
    <map:serialize type="xhtml"/>
  </map:match>

  <!-- Form target which performs auth service -->
  <map:match pattern="do-login">
    <!-- try to login -->
    <map:act type="cauth-login">
      <map:parameter name="application" value="search"/>
      <map:parameter name="name" value="{request-param:username}"/>
      <map:parameter name="password" value="{request-param:password}"/>
      <map:redirect-to uri="{request-param:destination}"/>
    </map:act>
    <!-- something was wrong, try it again -->
    <map:redirect-to uri="login?{request:queryString}"/>
  </map:match>

  <!-- Logout link which invalidates the session -->
  <map:match pattern="do-logout">
    <map:act type="cauth-logout">
      <map:parameter name="application" value="search"/>
      <map:redirect-to uri="{request-param:destination}"/>
    </map:act>
    <map:redirect-to uri="login?{request:queryString}"/>
  </map:match>

  <!-- Protected area -->
  <map:match pattern="protected/**">
    <map:act type="cauth-is-logged-in">
      <map:parameter name="application" value="search"/>
      <map:generate src="cocoon:/{../1}"/>
      <map:serialize type="xhtml"/>
    </map:act>
    <!-- something was wrong, redirect to login page -->
    <map:redirect-to uri="{request:contextPath}{request:servletPath}/login?destination={request:requestURI}?{request:queryString}"/>
  </map:match>
</map:pipeline>

<map:pipeline id="protected" internal-only="true">
  <!-- example of protected pipeline -->
  <map:match pattern="delete/item">
    <map:call function="deleteItem"/>
  </map:match>
</map:pipeline>
You can find three authentication actions used above: cauth-is-logged-in, cauth-login and cauth-logout. They are provided as a part of Authentication Framework, thus, do not require additional configuration.

Login page and controls
The login page is simple and implemented as a JX template. It takes care of submitting the authentication form properly with the correct destination parameter value. The variable blockPath helps to avoid redirection issues with incorrect relative URLs.
<?xml version="1.0" encoding="UTF-8"?>
<jx:template xmlns:jx="http://apache.org/cocoon/templates/jx/1.0">

  <!-- Import other used templates  -->
  <jx:import uri="page/templates/page.jx"/>

  <jx:set var="blockPath" value="${cocoon.request.contextPath + cocoon.request.servletPath}"/>

  <page-macro>
    <head-macro/>
    <body-macro>
      <h2 id="title">Login</h2>
      <form action="${blockPath}/do-login?destination=${cocoon.request.destination}" method="POST">
        <div>You need to be authenticated to perform upload/remove actions.</div>
        <table>
          <tbody>
            <tr>
              <td>User name:</td>
              <td>
                <input type="text" name="username"/>
              </td>
            </tr>
            <tr>
              <td>Password:</td>
              <td>
                <input type="password" name="password"/>
              </td>
            </tr>
            <tr>
              <td/>
              <td>
                <input type="submit" value="Login"/>
              </td>
            </tr>
          </tbody>
        </table>
      </form>
    </body-macro>
  </page-macro>

</jx:template>
Here is another JX template snippet that shows how to add a common html markup with logged in user name and controls. It also takes care of providing the destination parameter and uses the same blockPath variable as above.
<jx:set var="user" value="${cocoon.session.getAttribute('cauth-user-myapp')}"/>

<jx:choose>
  <jx:when test="${user != null}">
    <span id="logged_in">
      <span id="label_username">${user.getId()}</span>
      <a href="${blockPath}/do-logout?destination=${cocoon.request.requestURI}">
        <img src="${blockPath}/resource/external/icons/logout.png" title="Log out"/>
      </a>
    </span>
  </jx:when>
  <jx:otherwise>
    <span id="not_logged_in">
      <a href="${blockPath}/do-login?destination=${cocoon.request.requestURI}">
        <img src="${blockPath}/resource/external/icons/login.png" title="Log in"/>
      </a>
    </span>
  </jx:otherwise>
</jx:choose>
To conclude, I'll list other useful resources as the online documentation is quite poor:

Comments

Popular posts from this blog

DynamicReports and Spring MVC integration

This is a tutorial on how to exploit DynamicReports reporting library in an existing Spring MVC based web application. It's a continuation to the previous post where DynamicReports has been chosen as the most appropriate solution to implement an export feature in a web application (for my specific use case). The complete code won't be provided here but only the essential code snippets together with usage remarks. Also I've widely used this tutorial that describes a similar problem for an alternative reporting library.
So let's turn to the implementation description and start with a short plan of this how-to:
Adding project dependencies.Implementing the Controller part of the MVC pattern.Modifying the View part of the MVC pattern.Modifying web.xml.Adding project dependencies
I used to apply Maven Project Builder throughout my Java applications, thus the dependencies will be provided in the Maven format.

Maven project pom.xml file:
net.sourceforge.dynamicreportsdynamicrepo…

Do It Yourself Java Profiling

This article is a free translation of the Russian one that is a transcript of the Russian video lecture done by Roman Elizarov at the Application Developer Days 2011 conference.
The lecturer talked about profiling of Java applications without any standalone tools. Instead, it's suggested to use internal JVM features (i.e. threaddumps, java agents, bytecode manipulation) to implement profiling quickly and efficiently. Moreover, it can be applied on Production environments with minimal overhead. This concept is called DIY or "Do It Yourself". Below the lecture's text and slides begin.
Today I'm giving a lecture "Do It Yourself Java Profiling". It's based on the real life experience that was gained during more than 10 years of developing high-loaded finance applications that work with huge amounts of data, millions currency rate changes per second and thousands of online users. As a result, we have to deal with profiling. Application profiling is an i…

Using Oracle impdp utility to reload database

Here I'll show an example of using Oracle Data Pump Import (impdp) utility. It allows importing Oracle data dumps. Specifically, below is the list of steps I used on an existing Oracle schema to reload the data from a dump. Steps to reload the data from an Oracle dump
We start with logging into SQL Plus as sysdba to be able to manage users. sqlplus sys/password@test as sysdba Dropping the existing user. CASCADE clause will ensure that all schema objects are removed before the user. SQL> DROP USER test CASCADE; Creating a fresh user will automatically create an empty schema with the same name. SQL> CREATE USER test IDENTIFIED BY "testpassword"; Granting DBA role to the user to load the dump later. Actually, it's an overkill and loading the dump can be permitted using a more granular role IMP_FULL_DATABASE. SQL> GRANT DBA TO test; Registering the directory where the dump is located. SQL> CREATE DIRECTORY dump_dir AS '/home/test/dumpdir'; Runnin…