cloud

toc
<mm:cloud>The cloud tag initializes the cloud to use.
attributes
  • name
    The name of the cloud. On default it is `mmbase'. The default will normally suffice, so you don't need not use this attribute.
    mmbase
  • username

    The authentication name to use (account). When used together with e.g. the method="http" option, validation only succeeds if the username equals this attribute. In this case it is also possible to supply a list of user names here (comma separated)

    It can also be used in combination with the `password' attribute, in which case authentication will happen automatically with the specified credentials.


  • logon
    Synonym to `username'
    see: username attribute of cloud
  • rank
    The required rank. This is another way to force a special user when using several methods. Often, you should use this attribute in combination with some `method' attribute, because if the `current' cloud (of the session) does not have a user of at least this required rank, then it needs to know how to log in again then. If there is no method in that case, then the body will be skipped, and no error will be shown (This behaviour may be useful to `check' a cloud only).
    administrator
    basic user
  • loginpage

    You can use the loginpage attribute to specify the (relative) path to a security login page. i.e.: 

            
<mm:cloud name="mmbase" loginpage="login.jsp">
...
</mm:cloud>
    The attribute has effect whenever someone who is not already logged on to the cloud requests the page containing the cloud tag. In that case, the tag checks whether the page has been called with a predefined set of parameters.

    If the page was called with the `command' parameter set to `login', the tag assumes a request is being made to log on using the parameters passed. The actual names of the parameter passed differs by security method chosen, which is defined by the `authenticate' attribute. For instance, with authenticate method `username/password', the following additional parameters are recognized:

    • cloud: similar to the cloudtag's `name' attribute
    • username: similar to the cloudtag's `username' attribute
    • password: similar to the cloudtag's `password' attribute
    If login succeeds, the page continues and displays normally. If the login fails, or if no `command=login' attribute was specified, the request is redirected to the page specified in the attribute. This `login page' can then take care of authentication, i.e. by displaying a form that allows the user to enter and submit the appropriate parameters (username/password) back to the originally called page. The page may also implement its own method of authentication. The `command=login' parameter has no effect when the loginpage attribute was not specified.

    The page should link page to the page which is supplied in the reference parameter. The login page itself should have a parameter `command' with value `login', `authenticate' with the authentication method which is wanted. Additional parameters will be passed to the underlying security implementation. A simple login page could contain the following jsp-code: 

            
<%@ taglib uri="http://www.mmbase.org/mmbase-taglib-1.0"  prefix="mm"%>
<html>
<mm:import externid="referrer" required="true" />
<mm:import externid="reason">please</mm:import>
<mm:write referid="reason">
  <mm:compare value="failed">
    <font color="red">Failed to log in. Try again</font>
  </mm:compare>
</mm:write>
    <form method="post" action="<mm:url page="$referrer" />" >
    <input type="hidden" name="command" value="login">
    <input type="hidden" name="cloud" value="mmbase"><!-- also default -->
    <input type="hidden" name="authenticate" value="name/password">

    <input type="text" name="username" value="">
    <br />
    <input type="password" name="password" value="">
    <br />
    <input type="submit" name="Login" value="login">
</form>
</html>
    When a user is logged in, a call in that page, with parameter `command' and value `logout' causes the user to be logged out.

    There are different situations on which the cloud tag with the attribute loginpage can react, they are:

    • scenario 1 : not logged-in, no parameter with value login: Stop current page processing, show the login.jsp, which is a form with parameter command with value login. Parameters can be specified inside a form. When the button submit is pressed, this parameters will be send to the referencing page (foo.jsp). The login page will be called with a `reference' attribute containing this page's URL, and a `reason' attribute `please'.
    • scenario 2 : not logged-in, a parameter with value login: The parameters will be retrieved from the request. These parameters will be passed to the security (CloudContext.getCloud(cloud, authenticate, otherparameters)), and the cloud retrieved will be stored inside the context.(from now you are logged in) Page processing of foo.jsp will continue, unless the authentications failed, because then again is redirected to the login page, but this time with `reason' `failed'.
    • scenario 3: logged-in Page foo.jsp will simply be processed. (Unless e.g. the `logon' attribute is not satisfied).
    • scenario 4: logged-in with parameter command with value logout The cloud in the session will be removed (you are now logged out) and we can continue here from scenario 1. Can also be done with method='logout'.

  • password

    The password to use to logon to the cloud. Always consider using method="pagelogon" when you use this attribute, because the default method will otherwise be "sessionlogon". Then, the resulting cloud-object is written to the session, and the visitor of your page can abuse this to gain authorisation also on other pages.

    You could also use 'class' authentication to avoid all passwords in JSP-code.


  • pwd
    Synonym to `password'
    see: password attribute of cloud
  • method
    Describes how to get the authentication information. The default behaviour is as described in `asis'.
    http Use http protocol to ask name and password from the user. If the `username' attribute is specified too, then logging on will fail if the user does not use that username. The `password' (or `pwd') attribute will be ignored.
    logout When using `http' to log on, the browser will store name and password. If you want to log on again, you have to `logout' first. In this case the `realm' of the http authentication will be changed, and you obtain a new possibility to log on after that. The cloud you obtain is anonymous.
    anonymous Ignore the `logon' attribute and create (or reuse) a cloud with an anonymous user.
    asis

    Ignore the `logon' attribute and reuse the cloud as it is in the session, or create an `anonymous' cloud, if there is not cloud in the session.

    pagelogon

    This method should be used together with the "password" attribute, to indicate that the resulting cloud should only be available to the current page, and not to the session.

    sessionlogon

    This method can be used together with "password" attribute, to indicate that the resulting cloud must be written in the session, and can be picked up with method="asis" in another page. Visitors of the page using the login-method should be trusted, because they could perhaps exploit this cloud-object in the session.

    For backwards compatibility reasons this method is the default method if you use the `password' attribute, but a warning will be logged to encourage to state this explicitly, because it is good that you are aware of the consequences.

    A page using a non-anonymous cloud in the session should not be cached publicly, that is another reason to use `pagelogon'.

    delegate

    Delegates logging in to the security's authentication implementation itself. The current request and response objects are given as credentials (e.g. to redirect to an external authentication server). You can also be authenticated only based on class (if in classauthentication.xml this jsp's class was mentioned).

    sessiondelegate

    As delegate, only the resulting cloud is written to the session (and can be picked up with `asis'). This should only be used if the user is trusted (and not e.g. when using `class' security, because then the class is trusted, rather then the user).

  • sessionname

    The name the cloud must get in the session. Using this it is possible to avoid retyping your password when switching between two sites which both use http authentication, but don't share users.

    You can also use a different sessionname for editor pages, so that editors need to log in separately on the front-end, which makes it easier for them to see how pages look for normal users.


  • authenticate
    The authentication module which must be used by the security system. The default is "name/password", which will do in many cases. Other values are often needed when method="delegate" or method="sessiondelegate".
    name/password

    The most common authentication method. You somehow have to supply a name/password combination.

    class

    This can be used in combination with method="delegate". The 1.8 class security (which can be installed in 1.7) feature can recognize this, and supply a cloud based on the class name of this jsp.

  • uri
    The uri in case the cloud has to be retrieved using the RMMCI. This makes it possible to display remote content.
    local Get a local cloud.
    rmi://... RMMCI cloud.
    rmi://www.mmbase.org/remotecontext
  • jspvar
    The name of The JSP variable to create that contains a reference to the cloud.
contextreader attributes
contextwriter attributes
contextreferrer attributes
cloudprovider attributes
example 1 
<!-- Show titles of all news articles from user kamer
    (which are in pool kamer_pool) only to user kamer -->
<mm:cloud jspvar="cloud" logon="kamer" method="http">
logged on as: <bean:write name="cloud" property="user.identifier" /><br />
<mm:node number="kamer_pool" id="my_node">
  <mm:related paths="news" orderby="number" directions="DOWN">
     <mm:first>
        <!-- show a small heading,
            which also contains the node-number of the pool -->
        <mm:field node="my_node" name="number" />:
        <mm:field name="number" />
            <mm:fieldinfo type="guiname" />
        </mm:field>:
        <mm:field name="title" />
            <mm:fieldinfo type="guiname" />
        </mm:field>:
     </mm:first>
     <mm:field name="number" />: <mm:field name="title" /><br />
  </mm:related>
</mm:node>
</mm:list>
</mm:cloud>
example 2 
<!-- To logon on as a different user on my_page.jsp,
    make a ref to a page -->
<mm:cloud method="logout" />
<% response.sendRedirect("http://my_host/my_page.jsp"); %>
example 3 
<mm:cloud rank="administrator">
   <!-- show some data, in this case, the first 'typedef',
        because this type is availabe in every MMBase installation -->
   <mm:listnodes type="typedef" max="1">
     <mm:field name="name" /> : <mm:field name="description" />
   </mm:listnodes>
</mm:cloud>
 javax.servlet.jsp.JspTagException: Response is commited already, cannot send a deny
example 4 
<mm:cloud method="http" jspvar="cloud">
  logged on as: <%= cloud.getUser().getIdentifier() %><br />
</mm:cloud>
<a href="<mm:url page="logout.jsp" />">logout</a>
 javax.servlet.jsp.JspTagException: Response is commited already, cannot send a deny
example 5 
<mm:cloud method="logout" />
<br />
<a href="<mm:url page="cloud.jsp" />">back to cloud.jsp</a>
back to cloud.jsp