I wan't the user to enter the site by cliking on a link or whatever, so that the user enters the site using that request. It should be OK, that the user tryes to go to a restricted page by writing blabla:8080/MyApp/restrictedRequest.action?site=JustAGuess
But if that is done and the user has not got rights to do it, then he is being rejected...
Regards
Morten Andersen
PS: I did consider the role-based model form tomcat, but that is coarse-grained, in the sense that it is based on 1 role for one web-app, and that is not suficient.
Something else that occurs to me is that your security model appears to depend on a GET parameter in the request ("?site=MySite"). A client could easily change this value to circumvent your security. A better model is that your logon page sets a value in the Session object to identify the user. Then the security depends on a very long, random session ID and it is vanishingly unlikely that a client will be able to change this ID (either in a URL or a cookie) and, by chance, hit on a valid session ID belonging to another user.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Morten Andersen Master of applied mathematics and computer science Amanuensis (in e-learning)
The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk
Campusvej 55
DK-5230 Odense M
Denmark
+45 6550-3654
+45 6171-1103
Jabber id: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]