-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anthony,
Berglas, Anthony wrote:
> Tomcat seems to only check the Authorization: headers if there is some
> <security-constraint> explicitly declared in web.xml. However, it
> appears that the optimization has been incorrectly implemented because
> it does not then recheck the header if request.isUserInRole(...) etc.
> are called. So users cannot log into a system that uses
> request.isUserInRole(...).
Well, since you haven't asked Tomcat to provide authorization, it
doesn't care about authentication. That seems perfectly reasonable to me.
> More specifically,
> my simple application tests request.isUserInRole(...) and
> request.getRemoteUser(). If the user lacks permissions the application
> sends a 401, and the user is prompted for a name/password which is sent
> back as a Authorization: Basic dGltOlBhc3N3b3JkMQ==
I'm guessing that you are manually sending the HTTP Auth header, right?
If that's the case, then you'll have to manually process the HTTP Auth
header coming from the client.
> There is no <security-constraint> clause in the web.xml because I do not
> want to declare them there. (They are instead declared internally as
> part of a menuing system, which calls request.isUserInRole().)
Any reason not to use the built-in authorization features of the servlet
spec (which Tomcat correctly implements, IMO)?
> Is it possible for me to determine which users have which roles in my
> application so that I can check the header myself? Ie. get at the
> tomcat-users.xml style info, in a (fairly) web server independent
> manner?
>
> Or going the other way, is it possible for webapp to easily find out
> what roles are required for a given .jsp to run? (We want to grey out
> menu items that a user has no access to.)
Usually, this is done using a manual process where you call
request.isUserInRole('whatever') and then choose to display or not
display the links as appropriate. I don't believe there is a facility
for asking about what role /will be required/ for a certain URI pattern.
> My general feeling is that attempting to use Java Servlet security is
> just wrong. One should simply do it oneself.
Using Java security is super simple. Why are you complicating things?
I'm sure there's a good reason. I'd just like to hear it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGCISx9CaO5/Lv0PARAv3eAJ9nC55oyOhFr0XdBWC87+hyBvrHqgCfTRSh
R7Nq3QMh0JbgddAkimpJZY0=
=9t1T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
