Pid wrote:
David Kerber wrote:
...
There isn't a standard way of doing programmatical security of this
nature - the nature of it is such that you have to write it yourself.
That is essentially what I'm trying to do, using various built-in
tools , such as java.security.acl.*, sun.security.acl.AclImpl,
sun.security.acl.AclEntryImpl, sun.security.acl.PermissionImpl, etc.
I'm just having trouble figuring out how these tools are intended to
be used
I wouldn't start there when securing a web application, but other list
members might. Sounds like the long route to a solution.
The spec defines role based access control; the majority of your
problem can be resolved by configuring a Realm and your app so that
restrictions can be applied on a URL by URL basis.
All of this can be done without having to use 'java.security.acl', but
with the facilities provided by Tomcat.
I'd recommend looking/trying the realm thing before you proceed.
I'll do that, but one quick question: can the realm thing get user
information and authenticate against a database? This app has several
hundred potential users and sites to which they will have access in
varying combinations.
Programmatical checks at each read/write point, using username based
SQL queries if your user can be linked/related to the stock DB,
it's a logical problem more than Tomcat problem I think.
I know it's not primarily a Tomcat problem, which is why I initially
posted in comp.lang.java.security. However, there are still no
responses there after two days.
Thanks for the comments!
Dave
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]