> You've correctly summarized what I was getting at, and you've also correctly > identified the drawbacks. > > It's useful to have that alternative on the table. And if the drawbacks are > unacceptable then your proposal is justified.
check. > Just out of curiosity, why do you need the list of users in the given role? > After all, the authorization decisions will be made on a per-request basis > depending on the currently authenticated user, based on the role of that > user, and the servlet API will certainly furnish that information. The > programmatic security in the servlet API exemplified by isUserInRole() is > the fallback to declarative security, after all, designed for the situation > that you find yourself in. > > Am I missing something? just that i would like to present a list of users allowed to use the webapp (e.g. in the mywebapp_user role) to the superuser so she can grant them permissions without having to manually type in their usernames. it's not a big deal, and there are at least a couple of ways we can make an effort to populate that list (query jdbc/jndi, note the existence of new users as they log in for the first time). still, it seems that maybe the servlet api should offer this ability? i also wonder if there should be a way for "trusted" webapps to add/remove users and change their authentication and role information. anyway, thanks for your thoughts and time. - donald ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
