Thanks for your replies, I think that the matter is settled. > > The underlying issue is that when Role R is required for Page P then > > *TWO* things need to happen depending on whether the user is in role R. > > These are > > > > 1. Allow or block access to page P. > > 2. Grey out or not grey out the menu item for page P. > > Right, I understand.
> The fact is that Tomcat will not perform authorization without also > performing authentication. That is the crux of the matter. IMHO it is a bug, whether in the implementation or the spec I don't know or really care. The APIs take a very simplistic view of the world, and it just does not work for me at least. Pity, as not much more is needed. I could indeed scan web.xml given the inadequate API (rolesRequiredForUrl(), rolesForUser() etc.). (Scanning is possible but ugly -- needs duplication of URL pattern processing). But I prefer not to scan web.xml because I have other information about each form, and it would be nice to put the source of truth for the security info in the same place. But thanks for all the help. I have some Tomcat hacks that work for the time being. Later I will look for a fuller framework, either mine or someone else's, that is not J2EE based. > If you really want to hack around with authentication and authorization, > check out securityfilter (http://securityfilter.sourrceforge.net). The > code is portable across servlet containers, and especially across > different versions of the same container ;) Looks interesting. (Link is actually http://securityfilter.sourceforge.net, your link was to a spam site.) Anthony --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
