On Mon, 3 Sep 2001, Roland wrote:
> Date: Mon, 3 Sep 2001 16:19:48 -0300
> From: Roland <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Limits on the size of the web.xml file?
>
> > Sounds like a redesign is more appropriate.
> >
> > Memory issues aside, have you considered the fact that using individual
> > security constraints for each and every user means that you have to
> > restart the entire app every time you add a new user? Or, that every time
> > you add a user and restart, the restart time gets longer and longer?
>
> Thats a problem!
>
> > Use application specific logic to ensure that a particular user can only
> > see things that are relevant to them (i.e. their own mailbox in a
> > WebMail scenario).
>
> That was my original design idea. BUT, in this case I don't know how to
> prevent someone to see the data from other users. How can I stop someone
> from trying to access the mail from someone else? Supposing that all
> "standard" users will have the same role, the security will allow him to see
> all directories.
>
The details *vastly* depend on how your app is put together, but it isn't
all that complicated to figure out.
Consider that you might have the mailboxes for a particular user defined
in a database table called "mailboxes", with columns "username" and
"mailboxname". It would be easy to construct an SQL statement like this:
select mailboxname from mailboxes
where username = xxx
and replace xxx by the value returned from request.getRemoteUser(). This
would allow the user access *only* to his or her own mailboxes.
I'm assuming that you are *not* allowing users to upload their own
servlets or JSP pages, so they can only access what your app allows. If
this is not true, all bets are off (and I wouldn't ever trust your server
with my mail messages anyway :-).
> A question besides here, using JDBC realms is it possible to assign mutliple
> roles to one user? How do I do it? Do I have to put several entries in the
> user_roles table? One line for each role of the user?
Yep. A user can have as many roles as you want to assign them.
>
> Thanks in advance...
>
>
>
Craig
