Thanks for the reply.
The underlying issue is that when Role R is required for Page P then
*TWO* things need to happen depending on whether the user is in role R.
These are
1. Allow or block access to page P.
2. Grey out or not grey out the menu item for page P.
We only want to specify the fact that Role R is required for Page P
ONCE. Declarations in web.xml handle 1. but not 2.
That is why I want to do it "manually". (Where "manual" means a few
lines of code in one specific method that is automatically called by all
pages as part of a larger infrastructure.)
> Well, since you haven't asked Tomcat to provide authorization, it
> doesn't care about authentication. That seems perfectly reasonable to
me.
Not so. I have asked Tomcat to provide authorization by calling
request.isUserInRole(...). And Tomcat fails.
IMHO it is a straight bug in an optimization. isUserInRole etc. needs
to have an extra test:
if (! authenticationHeaderProcessed() )
processAuthenticationHeader();
I'll hack around it if there is no magic option.
Anthony
> Berglas, Anthony wrote:
> > Tomcat seems to only check the Authorization: headers if there is
some
> > <security-constraint> explicitly declared in web.xml. However, it
> > appears that the optimization has been incorrectly implemented
because
> > it does not then recheck the header if request.isUserInRole(...)
etc.
> > are called. So users cannot log into a system that uses
> > request.isUserInRole(...).
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
