Hi,
I usually use custom user access control (nothing really fancy) since my
passwords are hashed and stored in a database. I never investigated if
Tomcat could give me the level of control I often need.
If you chose to go the same way (i.e. create your own custom solution), then
you could very easily write a filter that blocks access to user directories
and would only allow access depending on criteria that you set. The draw
back I see is that you're using T3.3. If you want to use filters (which I
think is a really cool feature in Servlet 2.3), then you'd have to upgrade
to T4.x.x; unless your apps specifically require T3.3.
Regards,
Paul
From: Christopher Lott [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Control user access to directories in J-T ver 3.3 on unix?
Date: Tue, 21 May 2002 11:29:45 -0400 (EDT)
Hi, please tell me if fine-grained user access control is possible
in J-T, and if so, how to accomplish it.
I'm using Jakarta-Tomcat version 3.3a on a solaris 8 box.
I have access control enabled such that users of my app must
supply a password; this uses a SimpleRealm with a local file
of users and passwords as specified in the context for my webapp
(in conf/apps-myapp.xml). To gain access to J-T/webapps/myapp,
users enter a password. So the first line of defense is working.
However, 'myapp' creates directories for each user under webapps/myapp
where users store their work. Currently, an authenticated (but
malicious) user can access the files for another user by guessing the
appropriate URL under the J-T webapps/myapp/user directory. This is
the hole we need to close.
I'm asking about how to restrict access to specific directories.
I have no need to restrict access on a file-by-file basis.
We specify a role for the users, but it's not clear to me that the
role information is used anywhere (?).
I've read the SimpleRealm part of the Server.xml Configuration
document. I have scanned the Tomcat Documentation, including the Tomcat
User's Guide, the server configuration, etc. I've googled the question
with little success (other than some security hole warnings).
I sure hope that I don't have to create an instance of the webapp for
each user!
If it matters, we are using Apache as the front-end, and it forwards
requests on to the J-T server as needed.
Does this have anything to do with Slide (something Google turned up)??
(I don't mean to complain, but I sure would welcome some improvements
in the J-T documentation. :-/)
Thanks in advance, I look forward to hearing from someone.
chris...
(cml at cs dot umd dot edu)
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]