Ben Alex | 1 May 07:44 2004

Newbie questions: Velocity and Security


I am evaluating Slide 2.0rc1 with a Postgres 7.3.4 backend. It's ease of
deployment and hassle-free interoperability with WebDAV clients is
impressive. However, I do have a couple of questions I'd appreciate some
feedback on.

1. Most of our applications use Jakarta Velocity and The Spring Framework.
We would like Velocity VM pages to be stored in the Slide backend and
rendered by the Velocity engine. How have other people handled Velocity

2. We use our own security framework (
to integrate with Yale's CAS for single sign on and The Spring Framework for
bean security. We do not use container authentication, as our framework
handles that. I see Slide accesses the logged in Principal from the
container using WebdavUtils.getSlideToken(). Fortunately, there is a
work-around whereby if the container returns no Principal, the HttpSession
attribute keyed against WebdavUtils.PRINCIPAL_ATTRIBUTE is used to obtain
the Principal. I am assuming we could safely put a Principal in this
HttpSession attribute for Slide to access. If so, that solves the "not using
container security" integration issue. The next issue is Slide obtains
authorization details from its own internal repository, but we'd like to
hook into our existing authorization repository. Is there any easy way to
replace the repository being used for users, roles and groups, whilst all
the other content and permissions remain in the Slide database? We'd ideally
like to use our native database information and provide an adaptor so that
Slide can obtain read-only access (WebDAV editing of users, roles and groups
isn't necessary).

Given these dual requirements, I am considering extending
org.apache.velocity.runtime.resource.loader.ResourceLoader and making it a
Slide client. That way we could use existing Velocity servlets to front
requests (rather than the Slide servlet). As our security system uses a
ThreadLocal to hold the Principal, we have a way of presenting the
requesting Principal to Slide so it can make an authorization decision for
each individual template request. This is desirable as it allows templates
embedded using Velocity's #parse and #include directives to also be
authorized. Do people have any comments on this approach?

Any advice greatly appreciated.

Best regards
Ben Alex