[opencms-dev] Password protected areas of the website.

M Butcher mbutcher at grcomputing.net
Wed Aug 13 07:01:01 CEST 2003


On Tue, 2003-08-12 at 22:18, Ben Rometsch wrote:
> The template solution does not seem that bad an idea to me. Am I to assume
> that there's no standard way within OpenCMS of defining a subsection of the
> VFS tree with a certain user group priveledge?

There may be -- it uses UNIX-like permissions -- but because of the
nature of the project I was working on, I never explored that method
thoroughly. The question would be whether or not you could make WebUsers
members of a group with read permissions to a resource (file or dir),
while marking it off limits to regular users. 

> Would I be right in saying that the authentication templates that you use
> simply perform a sanity check on the WebUser object in the session? I have
> just started using opencms and am still finding my feet. Would it be
> possible for you to post a fragment of the template code to demonstrate?
> 

Exactly. Roughly, it checks to make sure that the user object (which is
in the session, though that is transparent to the JSP) is valid (and not
Guest). A really simple version of this method would be:

CmsJspActionElement cms = new CmsJspActionElement(pageContext, request,
response);

if("Guest".equals(cms.user("name")) {
  //redirect or force login or something...
}

// do rest of page...


I think I also add some checks to make sure the user is valid (maybe
CmsObject.readUser()... can't remember).

Anyway, it's simple, straightforward, and not very pretty, but it works.

Matt

> Ben
> 
> -----Original Message-----
> From: opencms-dev-admin at opencms.org [mailto:opencms-dev-admin at opencms.org]
> On Behalf Of M Butcher
> Sent: 13 August 2003 14:16
> To: opencms-dev at opencms.org
> Subject: RE: [opencms-dev] Password protected areas of the website.
> 
> On Tue, 2003-08-12 at 21:17, Ben Rometsch wrote:
> > Hi Matt,
> > 
> > Thanks for the fast response. Would I be right in saying that I can 
> > create a new User Group within OpenCMS with no permissions, create 
> > users of that group, and then write my own JSP script to handle the 
> > log in functionality on the actual website? I.e. create a session 
> > scoped CmsUser object on login and check for its existence in the 
> > session within the password protected area, redirecting if it does not
> exist?
> 
> I leave my webusers in the Guest group, though you could create another
> group if you wanted. Then, I use JSPs as you suggested to verify that the
> user is logged in (as someone other than Guest). Really, all of the scoping
> is handled within OpenCMS, so all you need is a) a way to log in, and b) a
> way to mark a group of pages as "Members Only". a) is easy enough, since
> just about all of the functionality you need is provided in the CmsObject
> and CmsUser classes. As for b), there are a lot of ways to do it -- some
> probably better than others. My way is pretty ugly, design wise, but I have
> a specific set of templates that require authentication, and all member
> content uses those templates. A better (or at least prettier) method would
> be to set up some sort of access control mechanism for VFS directories.
> 
> > 
> > Just out of interest, is there an OpenCMS forum or IRC channel?
> > 
> 
> There was a forum at http://synyx.de/board/, but it seems to be down right
> now. AFAIK, there is no IRC... However, if someone started one...
> 
> > Ben
> > 
> > -----Original Message-----
> > From: opencms-dev-admin at opencms.org 
> > [mailto:opencms-dev-admin at opencms.org]
> > On Behalf Of M Butcher
> > Sent: 13 August 2003 13:34
> > To: opencms-dev at opencms.org
> > Subject: Re: [opencms-dev] Password protected areas of the website.
> > 
> > Use WebUsers (not to be confused with the WebUser table which is for 
> > storing additional info).
> > 
> > Take a look at the Javadocs for the com.opencms.file.CmsObject 
> > (readWebUser, createWebUser, etc.) and com.opencms.file.CmsUser
> > 
> > In short, a webuser is stored in the same table as regular users, but 
> > 1) does not have permissions to use the CMS and 2) does not have much 
> > of the permissions that regular users have. We use webusers for 
> > exactly the purpose you are talking about.
> > 
> > Now, there are also other ways of achieving the same results with 
> > standard HTTP auth and some tweaks to your code. If webuser won't 
> > work, you may want to look at building an external mechanism.
> > 
> > Hope that helps,
> > 
> > Matt
> > 
> > _______________________________________________
> > This mail is send to you from the opencms-dev mailing list To change 
> > your list options, or to unsubscribe from the list, please visit 
> > http://mail.opencms.org/mailman/listinfo/opencms-dev
> --
> M Butcher <mbutcher at grcomputing.net>
> _______________________________________________
> This mail is send to you from the opencms-dev mailing list To change your
> list options, or to unsubscribe from the list, please visit
> http://mail.opencms.org/mailman/listinfo/opencms-dev
> 
> _______________________________________________
> This mail is send to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://mail.opencms.org/mailman/listinfo/opencms-dev
-- 
M Butcher <mbutcher at grcomputing.net>



More information about the opencms-dev mailing list