Oh, really? I just guessed that if the user could see the absolute url to
used/available files in the application (jsp- or pdf-files) then it was also
possible that the user could compromise the files in that directory, overwrite
them or even save new files. But you state that users can NOT save new files in
a directory. Then they can NOT do any of the other stated actions, right? Or
have I misunderstood?
Thanks!
> Date: Wed, 18 Aug 2010 13:32:00 +0200
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: Configure read/write-access in TomCat
>
> K A wrote:
> > Hello
> >
> > I've developed a web-application in which I'd like to have some control of
> > which resources are accessed by whom. My project is called "Server" in
> > which I've got 3 directories: "/user" which all roles are allowed to
> > access, "/admin" which ONLY administrators are allowed to access and
> > "resources" in which I've got some files which users are allowed to read
> > and administrators are allowed to both read and write.
>
> What do you mean by "write" ? There is nothing in tomcat itself which allows
> users to
> write anywhere on the server.
> If it is your application which allows some users to do that, then it belongs
> to your
> application to check their permissions to do so.
>
> >
> > I'm using a FORM to login. The form action is "POST" and the action is
> > "j_security_check", the username field's name is "j_username" and the
> > password field's is "j_password".
> > I've implemented a security-check in the jsp-file itself where I'm checking
> > for the type of login the current user has. If the type is aproved then the
> > user is allowed to access the page.
> >
>
> That is all very nice, but mostly irrelevant. The important thing here is
> that your
> application would know who the user is, if it wants to control access to some
> functions in
> function of the user.
>
> > But when I test the application and try to access the files in the other
> > library then I've got access no matter what. This wasn't the intension.
> >
>
> ...
> >
> > Can somebody please give me a detailed walkthrough on how to achieve this?
> >
> I believe that for that, you'll have to be prepared to pay someone.
>
> To say the above in another way : in tomcat itself, there is no mechanism for
> allowing a
> user to upload anything and write it somewhere on the server.
> So you will not find anything in the tomcat documentation which explains how
> to do what
> you want.
>
> You will have to look for a separate web application which does that.
> And such an application would most probably contain some form of a
> permissions mechanism.
>
> One such application is DAV, which used to be included in the tomcat sample
> applications.
> If you use the "Find Page" button in the FAQ, and enter "DAV", it shows some
> links which
> might help you.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
