Christopher, thank you for your great help, 2007/10/10, Christopher Schultz <[EMAIL PROTECTED]>:
> >> ...why you want your own servlets to do the authorization instead > >> of the container (or securityfilter)? > > > > This is the main question. Today we decided to do nothing new with > > authentication and use special "guest" user in the first version of > servlet. > > I'm not sure what that means. Well, have you ever configured path based authentication for Subversion Server? Pba config file contains a set of rules and they look like [/path/in/repos] *= user1=r So anonymous user has any read permisions but a user logged on as "user1" may read from /path/in/repos. In our case, configuration above means that user logged on as a "guest" has no permissions and "user1" has read permissions. > And only if users will ask for anonymous access I described earlier, we'll > > develop custom mechanism or maybe use security filter. > > I'm not convinced you need either. You can use the built-in Tomcat > authentication to do logins. It sounds interesting. So if there is no <security-constraint> element in web.xml, Tomcat doesn't provide authorization, right? And if web.xmlcontains <login-config> element and doesn't contain <security-constraint> element then servlet gets Principal object anyway (if client sent user/pass then request.getRemoteUser() returns "user" and if not request.getRemoteUser() returns null)? Well at least I will try to configure Tomcat this way. You can also use the built-in > authorization, but it looks like you don't want authorization at all: > you want a site that basically lets anyone use it, but also allows > logins for other things (but you haven't mentioned any of them). There is no site and pages, we have servlet that handles requests via webDAV protocol (an extension of HTTP1.1). There are two types of requests we should handle in servlet: 1. Requests with no authentication data. If such request tries to access /some/path and pba config file contains rule : [/some/path] *=r then we do not send any error, handle request and normally send result , otherwise we send SC_UNAUTHORIZED error. 2. Requests with authentication data, for instance client sends to us usename/password and tries to access /some/path. So we want Tomcat to check if this pair username/password is valid (at this moment Tomcat looks at Realm class as I think), so if it's not valid, Tomcat should send SC_UNAUTHORIZED otherwise servlet checks request using pba and if pba config file has rule: [/some/path] username=r then we do not send any error and handle request normally, otherwise we send SC_FORBIDDEN error. So my question now is: If Tomcat configured to provide built-in authentication and do not provide built-in authorization can we get described behavior? Hope this explanation is more clear. Thanks, S. Vadishev.