Chuck, Caldarale, Charles R wrote: >> From: Christopher Schultz [mailto:[EMAIL PROTECTED] >> Subject: Re: Tomcat Security >> >> Since each image could have different authorization settings, >> you can't just use the servlet container's built-in authorization >> (set up in web.xml). You will have to enforce this yourself. > > Not sure that's necessarily true. If the URI used to request the image > used paths segregated by accessibility, I think most of the access > checks could be handled by the appropriate declarative security > constraints.
Well, he did say that the user can choose arbitrarily what the authorization rules were. I would imagine that includes changing it on the fly. Changing the URL on the fly based upon the authorization rules would be very awkward. It was also unclear if the "passworded" images meant that a user must login and be recognized, or there is a specific password on each image. The latter would prohibit web.xml-based authorization. -chris
signature.asc
Description: OpenPGP digital signature