Re: Programmatic Security

Fri, 30 Jun 2006 16:25:55 -0700 

Nicholas Sushkin wrote:
On Wednesday 28 June 2006 14:05, John Caron wrote: 
I assume I need to get a session established, so that the authorization
need only be done once.  It would also be nice if I recieve a
unauthorized request, that I could pass it to Tomcat's 401 challenge and
authentication mechanism. However, im already down in my servlet code,
past the point where Tomcat would handle the challenge and
authentication, and I dont see any way to pass it back to Tomcat.



You can create a separate servlet or jsp for accessing the content that 
requires authorization, then include that URL into web.xml stanza as 
requiring a valid user. Then, once that URL is accessed, Tomcat would 
prompt you to log in. In your "secure" servlet or JSP, you would get user 
id using getRemoteUser() and somehow decide whether the user is allowed 
access to the data corresponding to the current request parameters.



How to decide whether a user is authorized to view a certain dataset is up 
to you. For example, you may want to create a table in your database 
mapping users to datasets.


Here's an example of web.xml stanza,

  <security-constraint>
     <display-name>Dataset Security Constraint</display-name>
     <web-resource-collection>
        <web-resource-name>Dataset Protected Area</web-resource-name>
         <!-- Define the context-relative URL(s) to be protected -->
        <url-pattern>/DatasetSecureServlet</url-pattern>
         <!-- If you list http methods, only those methods are protected -->
         <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
         <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
       <!-- Anyone with one of the listed roles may access this area -->
       <role-name>User</role-name>
    </auth-constraint>
 </security-constraint>

Sorry if I am repeating something you already know.

 


Thanks, its useful to hear someone else's take on the problem, even when 
I "already know" some of the details.



I guess im fishing around for anyone who has thought about or 
implemented "programmatic security" instead of / in addition to 
"container managed security".


Thanks for your time.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to