On Wednesday 28 June 2006 14:05, John Caron wrote:
> I assume I need to get a session established, so that the authorization
> need only be done once. It would also be nice if I recieve a
> unauthorized request, that I could pass it to Tomcat's 401 challenge and
> authentication mechanism. However, im already down in my servlet code,
> past the point where Tomcat would handle the challenge and
> authentication, and I dont see any way to pass it back to Tomcat.
You can create a separate servlet or jsp for accessing the content that
requires authorization, then include that URL into web.xml stanza as
requiring a valid user. Then, once that URL is accessed, Tomcat would
prompt you to log in. In your "secure" servlet or JSP, you would get user
id using getRemoteUser() and somehow decide whether the user is allowed
access to the data corresponding to the current request parameters.
How to decide whether a user is authorized to view a certain dataset is up
to you. For example, you may want to create a table in your database
mapping users to datasets.
Here's an example of web.xml stanza,
<security-constraint>
<display-name>Dataset Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Dataset Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/DatasetSecureServlet</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
Sorry if I am repeating something you already know.
--
Nicholas Sushkin
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
