From your emails it is unclear what you're trying to do. Let's establish exactly what you're talking about here:
- an application to manage users' access rights - an 'act for' facility that could allow a superuser to perform actions on behalf of another user - a tiered access model where different users have different access rights to perform actions d. Donald Ball wrote: >>You've correctly summarized what I was getting at, and you've also correctly >>identified the drawbacks. >> >>It's useful to have that alternative on the table. And if the drawbacks are >>unacceptable then your proposal is justified. > > > check. > > >>Just out of curiosity, why do you need the list of users in the given role? >>After all, the authorization decisions will be made on a per-request basis >>depending on the currently authenticated user, based on the role of that >>user, and the servlet API will certainly furnish that information. The >>programmatic security in the servlet API exemplified by isUserInRole() is >>the fallback to declarative security, after all, designed for the situation >>that you find yourself in. >> >>Am I missing something? > > > just that i would like to present a list of users allowed to use the > webapp (e.g. in the mywebapp_user role) to the superuser so she can > grant them permissions without having to manually type in their > usernames. it's not a big deal, and there are at least a couple of ways > we can make an effort to populate that list (query jdbc/jndi, note the > existence of new users as they log in for the first time). > > still, it seems that maybe the servlet api should offer this ability? i > also wonder if there should be a way for "trusted" webapps to add/remove > users and change their authentication and role information. > > anyway, thanks for your thoughts and time. > > - donald > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > -- David Mossakowski [EMAIL PROTECTED] Instinet Corporation 212.310.7275 ******************************************************************************* <<Disclaimer>> This message is intended only for the use of the Addressee and may contain information that is PRIVILEGED and/or CONFIDENTIAL or both. This email is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this email is not an intended recipient, you have received this email in error and any review, dissemination, distribution or copying is strictly prohibited. If you have received this email in error, please notify the sender immediately by return mail and permanently deleting the copy you received. Thank you. ******************************************************************************* ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
