Hi, please tell me if fine-grained user access control is possible in J-T, and if so, how to accomplish it.
I'm using Jakarta-Tomcat version 3.3a on a solaris 8 box. I have access control enabled such that users of my app must supply a password; this uses a SimpleRealm with a local file of users and passwords as specified in the context for my webapp (in conf/apps-myapp.xml). To gain access to J-T/webapps/myapp, users enter a password. So the first line of defense is working. However, 'myapp' creates directories for each user under webapps/myapp where users store their work. Currently, an authenticated (but malicious) user can access the files for another user by guessing the appropriate URL under the J-T webapps/myapp/user directory. This is the hole we need to close. I'm asking about how to restrict access to specific directories. I have no need to restrict access on a file-by-file basis. We specify a role for the users, but it's not clear to me that the role information is used anywhere (?). I've read the SimpleRealm part of the Server.xml Configuration document. I have scanned the Tomcat Documentation, including the Tomcat User's Guide, the server configuration, etc. I've googled the question with little success (other than some security hole warnings). I sure hope that I don't have to create an instance of the webapp for each user! If it matters, we are using Apache as the front-end, and it forwards requests on to the J-T server as needed. Does this have anything to do with Slide (something Google turned up)?? (I don't mean to complain, but I sure would welcome some improvements in the J-T documentation. :-/) Thanks in advance, I look forward to hearing from someone. chris... (cml at cs dot umd dot edu) -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
