Ha ha... sounds like you looking for a magic function, which reminds me of
my first computer program... got to tell you :)
A million years ago in my 1st year I was walking past the varsity main
frame, I'd heard all sorts of things about this amazing beast... so I walked
in, watched someone using a punch card, after they left, I typed.... "draw
nude girl"... stuck it in the machine and was hell-of-a-disappointed when I
got "syntax error".... ha ha.
No, I think you expecting too much.... the Tomcat guys have let people who
want to develop a quick servlet, define the DOORWAY to the role in web.xml
and then quickly add users to the role in tomcat-users.xml.... and have
provided a few simple functions like isUserInRole, which for the simplest of
web sites are not even needed.
Its simple, easy, and probably good enough for most things a tomcat
developer needs... very nice of them.
I was hoping that for what you need it would be possible to piggyback on
that simple framework, even if it meant parsing the tomcat-users.xml to gray
menu's, but it seems you have to work outside of that frame-work.
If you are writing code like the stuff below.... forget about the simple
security framework tomcat provides, you dont need the Doorway in web.xml,
and likewise tomcat-users.xml is not going to do a thing.... it only wakes
up if you do the web.xml stuff. So if you define the URL and the restraining
role in web.xml, then tomcat wakes up and looks at tomcat-users.xml. If not,
it doesnt know you doing security, and even if you write security code, it
only between you and the browser, Tomcat will just send what you tell it to
and get a browser response back.
If you writing code at this level.... forget about that config stuff.....
you on your own.
Cant quite see how you would use JAAS, but ok you going to use Ldap or
something.
No magic functions.... you have to do something like this...
Using your code below, you make a servlet, and map all the urls through it.
A request comes in....
You grap the user name and password...
You call ldap or JAAS or whatever security system you using....
It tells you User OK, or NOT
If OK you DISPATCH the request off to the JSP page.... and it displays.
If you want to control menu's you ask the LDAP system or whatever if user is
allowed access to various menu items (which represents other roles).
You stick that in a Bean.... pass it to the JSP page, it enables or disables
the menu's, and displays.
Not hard to do if you know tomcat....
Somewhere and somehow you have to be able to tell the system all the users
and roles...
Whether you get it from JAAS or LDAP or parse the tomcat-users.xml,
somewhere someone has to be able to tell the system, USERA is in
RoleAccessPage1,2&3.
In fact I'm beginning to think that what you looking for is yet another
mapping...
So for example you may have a generic roles like, Visitors, Admin, Managers,
New Employees, Company Visitors blah blah...
And then have another XML file that says
ADMIN -> ALL PAGES
VISTORS - > Intro.jsp, Welcome.jsp,Instructions.jsp,How To Pay and access
the good stuff.jsp
I still have a feeling all you really need is the generic tomcat security
and someone to write a little XMLparsing code that gives you functions like
IsThisUserAllowedToAccesThisPage(User,Link);
Then you have Two Maps to fill out.... User -> Role (already standard in
tomcat)
Role - > Link (a
new XML file)
Maybe....Anyway I dont think you going to find the magic function you
looking for, and I also dont think its an oversight by the tomcat
developers, just think you looking for an additional mapping function. Maybe
it would be nice if Tomcat had a function to enumerates user roles (has it?)
but even then you'd still be making some additional mapping function...
If you need someone to write the framework for you, once you have decided
what you want, call me.
Regards,
Johnny
----- Original Message -----
From: "Berglas, Anthony" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, March 28, 2007 3:26 AM
Subject: RE: Basic Auth without web.xml <security-constraint> not working
Thanks for your reply.
Getting the user name and password
String authorization = request.getHeader("Authorization");
if (authorization == null) return 0;
// Authorization headers looks like "Basic blahblah",
// where blahblah is the base64 encoded username and
// password. We want the part after "Basic ".
String userInfo = authorization.substring(6).trim();
BASE64Decoder decoder = new BASE64Decoder();
String nameAndPassword = "";
try{
nameAndPassword = new
String(decoder.decodeBuffer(userInfo));
}catch ( IOException e ){}
// Decoded part looks like "username:password".
int index = nameAndPassword.indexOf(":");
String user = nameAndPassword.substring(0, index);
user = user.trim();
if(user == null) return 0;
String password = nameAndPassword.substring(index+1);
password = password.trim();
if(password == null) return 0;
Yes, but now how do you validate the password is correct and check which
roles? (Don't want to parse tomcat-users.xml, and we would like to be
able to use the LDAP etc. plug ins.) I don't think that JAAS is hooked
up at that level.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
