-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony,
Berglas, Anthony wrote: > Tomcat seems to only check the Authorization: headers if there is some > <security-constraint> explicitly declared in web.xml. However, it > appears that the optimization has been incorrectly implemented because > it does not then recheck the header if request.isUserInRole(...) etc. > are called. So users cannot log into a system that uses > request.isUserInRole(...). Well, since you haven't asked Tomcat to provide authorization, it doesn't care about authentication. That seems perfectly reasonable to me. > More specifically, > my simple application tests request.isUserInRole(...) and > request.getRemoteUser(). If the user lacks permissions the application > sends a 401, and the user is prompted for a name/password which is sent > back as a Authorization: Basic dGltOlBhc3N3b3JkMQ== I'm guessing that you are manually sending the HTTP Auth header, right? If that's the case, then you'll have to manually process the HTTP Auth header coming from the client. > There is no <security-constraint> clause in the web.xml because I do not > want to declare them there. (They are instead declared internally as > part of a menuing system, which calls request.isUserInRole().) Any reason not to use the built-in authorization features of the servlet spec (which Tomcat correctly implements, IMO)? > Is it possible for me to determine which users have which roles in my > application so that I can check the header myself? Ie. get at the > tomcat-users.xml style info, in a (fairly) web server independent > manner? > > Or going the other way, is it possible for webapp to easily find out > what roles are required for a given .jsp to run? (We want to grey out > menu items that a user has no access to.) Usually, this is done using a manual process where you call request.isUserInRole('whatever') and then choose to display or not display the links as appropriate. I don't believe there is a facility for asking about what role /will be required/ for a certain URI pattern. > My general feeling is that attempting to use Java Servlet security is > just wrong. One should simply do it oneself. Using Java security is super simple. Why are you complicating things? I'm sure there's a good reason. I'd just like to hear it. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCISx9CaO5/Lv0PARAv3eAJ9nC55oyOhFr0XdBWC87+hyBvrHqgCfTRSh R7Nq3QMh0JbgddAkimpJZY0= =9t1T -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]