-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony,
Berglas, Anthony wrote: > Thanks for the reply. > > The underlying issue is that when Role R is required for Page P then > *TWO* things need to happen depending on whether the user is in role R. > These are > > 1. Allow or block access to page P. > 2. Grey out or not grey out the menu item for page P. Right, I understand. > We only want to specify the fact that Role R is required for Page P > ONCE. Declarations in web.xml handle 1. but not 2. This is because the servlet spec does not have any way to ask what roles will be required for another URI. In fact, there's no way to ask what what roles are required for the /current/ URI... you will have to determine the role requirements yourself, then loop over request.isUserInRole() checking each one looking for a match, then display the link as appropriate. It's messy, which is why not many people do this type of thing. >> Well, since you haven't asked Tomcat to provide authorization, it >> doesn't care about authentication. That seems perfectly reasonable to > me. > > Not so. I have asked Tomcat to provide authorization by calling > request.isUserInRole(...). And Tomcat fails. Calling request.isUserInRole does not "turn on" authorization checking. Adding <security-constraint> to web.xml does that. Tomcat is not failing. It is working as designed, and follows the servlet spec. If you can find another servlet container that /can/ do this, then it is operating outside of the servlet spec. > IMHO it is a straight bug in an optimization. isUserInRole etc. needs > to have an extra test: > if (! authenticationHeaderProcessed() ) > processAuthenticationHeader(); Request.isUserInRole should happen long after the headers are processed. Your user's role it set at authentication time, not determined at authorization time. Honestly, your best bet IMO is to scan web.xml yourself at webapp startup and build your own list of URIs and role mappings. Then, you can consult your own registry to find out whether the current user will be allowed to access a particular URI. Actually, it doesn't sound that hard. The only problem is that you will have to step outside of the API provided by the servlet spec (which is not a big deal at all). The fact is that Tomcat will not perform authorization without also performing authentication. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCmvy9CaO5/Lv0PARAgpEAKCY+BbJMeEdVSD/0D8F3arcDrlMGwCePcIM IQPleQoqiV4hDIzTDW/tTMs= =AxRG -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]