Christopher,

2007/10/10, Christopher Schultz <[EMAIL PROTECTED]>:

> Tomcat's built-in A&A requires that an unauthenticated user request a
> protected resource (protected by a <security-constraint>). When this
> happens, Tomcat intercepts the request internally and issues the
> appropriate login request (HTTP AUTH, FORM, etc.). Upon successful
> authentication, Tomcat re-processes the original request.
>
> Tomcat authorization is done separately, though probably by the same
> component (Valve).

[...]

>
> Don't worry: authentication is really easy. Authorization isn't that
> bad, either, especially since you will probably only have a single
> servlet that needs protecting. The problem with these things is usually
> making sure you didn't miss anything (like leaving a swath of URIs
> unprotected).
>
> Feel free to look at Tomcat's Realm implementations for coding
> inspiration.


So implementing internal server component (probably valve) is the only
solution, right? And is this container independent solution?

Thanks,
S. Vadishev.

Reply via email to