We are currently using Tomcat 4.1.12. We are doing virtual hosting and install the /manager for each virt host. It all looks something like :
<Host name="www.abc.com" debug="0" appBase="/pub/users/abc/www" unpackWARs="true" autoDeploy="true"> <Logger className="org.apache.catalina.logger.FileLogger" prefix="abc_log." suffix=".txt" verbosity="4" timestamp="true"/> <Context path="/manager" docBase="/usr/local/etc/tomcat/server/webapps/manager" debug="1" reloadable="true" crossContext="true" privileged="true"> <Logger className="org.apache.catalina.logger.FileLogger" prefix="abc-manager_log." suffix=".txt" verbosity="4" timestamp="true"/> </Context> </Host> <Host name="www.xyz.com" debug="0" appBase="/pub/users/xyz/www" unpackWARs="true" autoDeploy="true"> <Logger className="org.apache.catalina.logger.FileLogger" prefix="xyz_log." suffix=".txt" verbosity="4" timestamp="true"/> <Context path="/manager" docBase="/usr/local/etc/tomcat/server/webapps/manager" debug="1" reloadable="true" crossContext="true" privileged="true"> <Logger className="org.apache.catalina.logger.FileLogger" prefix="xyz-manager_log." suffix=".txt" verbosity="4" timestamp="true"/> </Context> </Host> We are using the JDBC realm to authenticate users through mysql and this is working well. The problem is that there does not seem to be a way to limit a user to a particular virtual host. I have looked through the documentation and there is a Valve to restict based on IP address or hostname, but nothing to restict based on the username. ie - www.abc.com/manager/html/list authenticates with abc/123 www.xyz.com/manager/html/list authenticates with xyz/987 but user xyz can also get into www.abc.com/manager/html/list and user abc can also get into www.xyz.com/manager/html/list The way I have solved this is to make a copy of the default manager WAR - ie manager-abc, manager-xyz and point the Context to this unique WAR. Within the web.xml file for this manager WAR, I change both instances of <role-name>manager</role-name> to a unique role for this user. ie : manager-abc/WEB-INF/web.xml contains <role-name>manager-abc</role-name> manager-xyz/WEB-INF/web.xml contains <role-name>manager-xyz</role-name> In the user_roles mysql table, I use this new role instead of manager. This seems to work OK and keeps user xyz out of abc's /manager, but this seems like an awful hack. Is there a better (easier) way of doing this? -- John ___________________________________________________________________ John Murtari Software Workshop Inc. [EMAIL PROTECTED] 315.695.1301(x-211) "TheBook.Com" (TM) http://www.thebook.com/ -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>