The name of the cloud. On default it is `mmbase'. The default will normally suffice, so
you don't need not use this attribute.
The authentication name to use (account). When used together with
e.g. the method="http" option, validation only succeeds if
the username equals this attribute. In this case it is also possible to
supply a list of user names here (comma separated)
It can also be used in combination with the `password' attribute, in which case
authentication will happen automatically with the specified credentials.
Synonym to `username'
see: username attribute of cloud
The required rank. This is another way to force a special user when using several
methods. Often, you should use this attribute in combination with some `method' attribute,
because if the `current' cloud (of the session) does not have a user of at least this
required rank, then it needs to know how to log in again then. If there is no method in that
case, then the body will be skipped, and no error will be shown (This behaviour may be
useful to `check' a cloud only).
You can use the loginpage attribute to specify the (relative) path to a security login page.
<mm:cloud name="mmbase" loginpage="login.jsp">
The attribute has effect whenever someone who is not already logged on to the cloud requests the page containing the cloud tag.
In that case, the tag checks whether the page has been called with a predefined set of parameters.
If the page was called with the `command' parameter set to `login', the tag assumes a request is being made to log on using the parameters passed.
The actual names of the parameter passed differs by security method chosen, which is defined by the `authenticate' attribute.
For instance, with authenticate method `username/password', the following additional parameters are recognized:
If login succeeds, the page continues and displays normally. If the login fails, or if no `command=login' attribute was specified, the request is redirected to the page specified in the attribute.
This `login page' can then take care of authentication, i.e. by displaying a form that allows the user to enter and submit the appropriate parameters (username/password) back to the originally called page.
The page may also implement its own method of authentication.
The `command=login' parameter has no effect when the loginpage attribute was not specified.
- cloud: similar to the cloudtag's `name' attribute
- username: similar to the cloudtag's `username' attribute
- password: similar to the cloudtag's `password' attribute
The page should link page to the page which is supplied in the reference parameter.
The login page itself should have a parameter `command' with value `login', `authenticate' with the authentication method which is wanted.
Additional parameters will be passed to the underlying security implementation.
A simple login page could contain the following jsp-code:
<%@ taglib uri="http://www.mmbase.org/mmbase-taglib-1.0" prefix="mm"%>
<mm:import externid="referrer" required="true" />
<font color="red">Failed to log in. Try again</font>
<form method="post" action="<mm:url page="$referrer" />" >
<input type="hidden" name="command" value="login">
<input type="hidden" name="cloud" value="mmbase"><!-- also default -->
<input type="hidden" name="authenticate" value="name/password">
<input type="text" name="username" value="">
<input type="password" name="password" value="">
<input type="submit" name="Login" value="login">
When a user is logged in, a call in that page, with parameter `command' and value `logout'
causes the user to be logged out.
There are different situations on which the cloud tag with the attribute loginpage can react, they are:
scenario 1 : not logged-in, no parameter with value login:
Stop current page processing, show the login.jsp, which is
a form with parameter command with value login. Parameters
can be specified inside a form. When the button submit is
pressed, this parameters will be send to the referencing
page (foo.jsp). The login page will be called with a
`reference' attribute containing this page's URL, and a
`reason' attribute `please'.
scenario 2 : not logged-in, a parameter with value login:
The parameters will be retrieved from the request. These
parameters will be passed to the security
otherparameters)), and the cloud retrieved will be stored
inside the context.(from now you are logged in) Page
processing of foo.jsp will continue, unless the
authentications failed, because then again is redirected
to the login page, but this time with `reason' `failed'.
scenario 3: logged-in Page foo.jsp will simply be
processed. (Unless e.g. the `logon' attribute is not
scenario 4: logged-in with parameter command with value
logout The cloud in the session will be removed (you are
now logged out) and we can continue here from scenario
1. Can also be done with method='logout'.
The password to use to logon to the cloud. Always consider using method="pagelogon" when you
use this attribute, because the default method will otherwise be "sessionlogon". Then, the
resulting cloud-object is written to the session, and the visitor of your page can abuse
this to gain authorisation also on other pages.
You could also use 'class' authentication to avoid all passwords in JSP-code.
Synonym to `password'
see: password attribute of cloud
Describes how to get the authentication information. The default behaviour is as described in `asis'.
Use http protocol to ask name and password
from the user. If the `username' attribute is specified too, then
logging on will fail if the user does not use that
username. The `password' (or `pwd') attribute will be ignored.
When using `http' to log on, the browser will store name and
password. If you want to log on again, you have to `logout' first.
In this case the `realm' of the http authentication will be
changed, and you obtain a new possibility to log on after
that. The cloud you obtain is anonymous.
Ignore the `logon' attribute and create (or reuse) a cloud with an anonymous user.
Ignore the `logon' attribute and reuse the cloud as
it is in the session, or create an `anonymous' cloud, if there is not cloud in the
This method should be used together with the "password" attribute, to indicate that the
resulting cloud should only be available to the current page, and not to the session.
This method can be used together with "password" attribute, to indicate that the
resulting cloud must be written in the session, and can be picked up with method="asis"
in another page. Visitors of the page using the login-method should be trusted, because
they could perhaps exploit this cloud-object in the session.
For backwards compatibility reasons this method is the default method if you use the
`password' attribute, but a warning will be logged to encourage to state this
explicitly, because it is good that you are aware of the consequences.
A page using a non-anonymous cloud in the session should not be cached publicly, that is
another reason to use `pagelogon'.
Delegates logging in to the security's authentication implementation itself. The current
request and response objects are given as credentials (e.g. to redirect to an external
authentication server). You can also be authenticated only based on class (if in
classauthentication.xml this jsp's class was mentioned).
As delegate, only the resulting cloud is written to the session (and can be picked up
with `asis'). This should only be used if the user is trusted (and not e.g. when using
`class' security, because then the class is trusted, rather then the user).
The name the cloud must get in the session. Using this it is possible to avoid retyping
your password when switching between two sites which both use http authentication, but
don't share users.
You can also use a different sessionname for editor pages, so that editors need to log in
separately on the front-end, which makes it easier for them to see how pages look for
The authentication module which must be used by the security system. The default is
"name/password", which will do in many cases. Other values are often needed when
method="delegate" or method="sessiondelegate".
The most common authentication method. You somehow have to supply a name/password combination.
This can be used in combination with method="delegate". The 1.8 class security (which
can be installed in 1.7) feature can recognize this, and supply a cloud based on the class name of
The uri in case the cloud has to be retrieved using the RMMCI. This makes it possible to
display remote content.
Get a local cloud.
The name of The JSP variable to create that contains a reference to the cloud.