dirk ooms wrote:
Chris, Andre,

thanks for sharing your thoughts, it helped me to see things more clear.

changing a user object in the session is something i already did. the
problem with this was (and which was triggering my initial question) is
that a new user could have access rights to more functionality than the
first user, but that the access to this functionality is blocked by the
container because of the role based security constraints i have defined
in web.xml (the container does not know that there is a new user with
other roles, so it still applying the access rules of the first user).

anyway to move forward i decided to use the container-managed
authentication just as yes/no to obtain access to the complete
application and to move authorization to the application itself.


How about your barcode (or card or whatever) idea, to allow users to switch id on-the-fly ? I am curious as to how you implement that.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to