-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johnny,
> I was hoping that for what you need it would be possible to piggyback on > that simple framework, even if it meant parsing the tomcat-users.xml to > gray menu's, but it seems you have to work outside of that frame-work. Parsing tomcat-users.xml never makes any sense. You can get all the information provided from that file through the servlet API: the user's name (request.getUserPrincipal().getName()) and you can check the roles using request.isUserInRole() -- of course, you have to know what roles to check, but you should already know that. What you might want to parse is the authorization mapping, which usually resides in web.xml. The OP wants to put this somewhere else (not sure why) and then have Tomcat enforce it (which ain't gonna happen). > If you writing code at this level.... forget about that config > stuff..... you on your own. If you really want to hack around with authentication and authorization, check out securityfilter (http://securityfilter.sourrceforge.net). The code is portable across servlet containers, and especially across different versions of the same container ;) > I still have a feeling all you really need is the generic tomcat > security and someone to write a little XMLparsing code that gives you > functions like > IsThisUserAllowedToAccesThisPage(User,Link); I believe this is correct. > Then you have Two Maps to fill out.... User -> Role (already standard in > tomcat) There's no reason to manage that map yourself. All you need is what's already in the servlet API. You can also get the "Role -> Link" (really, URIs mapped to allowed roles) from web.xml. Just parse web.xml looking for <security-constraint> elements and use those. One single point of configuration (a requirement by the OP), and Tomcat enforces your authorization, which is a nice feature. Not having to write your own security code is always nice, because usually other people's (security) code is better than yours is likely to be. > Maybe....Anyway I dont think you going to find the magic function you > looking for The only thing I can think of us using JMX to snoop Tomcat's existing URI->Roles mapping, which is't got to have lying around. The only question is whether or not it is available to unprivileged webapps. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCm5t9CaO5/Lv0PARAmDDAKCnMJBeiVYkIro2mNh5xs+tfcjWQgCeL/hS 5MEhE/C7B3ArZfB2ktsoZs4= =TfAo -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]