You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Robert Sanders <ro...@telocity.com> on 2002/06/26 03:18:08 UTC
Authentication checking.
OK; let me describe what I am attempting to do :
I have sucessfully setup a web application under Tomcat 4. I enabled
JDBCRealm authentication. I defined different roles and assigned users
to them. I limited acces to web access.
Here is my question : is there a way to programmatically check a URL /
file pattern (using a Tag Libraray / Servlet) such that I could tell if
a user would be able to access the URL? What I'd like is a Tag that
simply hid links that users can not access. I know I could do this by
setting up different, but similar pages and then redirecting based on
user to the correct jsp page, but I'd like something a little more
flexible. I could also roll my own authentication, but this seems
inefficent. I know the solution will be specific to Tomcat, but I plan
on abstracting the logic so that it can be extended to work else where
if needed.
Any help would be much appriciated.
Robert Sanders
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Authentication checking.
Posted by Robert Sanders <ro...@telocity.com>.
Thanks, I could have tracked it down eventually, but I think I should
be able to find what I wanted much faster with your pointers.
Craig R. McClanahan wrote:
>For obvious security reasons, the Catalina internal classes are protected
>from access by webapps, unless you are specifically configured as a
>"privileged" webapp (like the Manager webapp is).
>
>Obviously, taking this approach ties you to Tomcat, so it's not what I
>would recommend doing.
>
>
>
>>2) If not is could someone point me to the Tomcat (or Jetty) classes
>>that do the parsing of the security constrains for the web.xml so I can
>>reuse it, rather than starting from scratch?
>>
>>
>>
>
>Catalina uses an instance of Digester (from the commons-digester package)
>to parse web.xml (and server.xml). This is set up and used in class
>org.apache.catalina.startup.ContextConfig -- see method
>createWebDigester() in the 4.1.x sources.
>
>You could emulate this kind of parsing at the application level and still
>be portable, because you can get an input stream to the web.xml file like
>this:
>
> InputStream is =
> getServletContext().getResourceAsStream("/WEB-INF/web.xml");
>
>and pass it to the parsing method of a Digester instance.
>
>
>
>>Thanks,
>> Robert Sanders.
>>
>>
>
>Craig
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Authentication checking.
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 26 Jun 2002, Robert Sanders wrote:
> Date: Wed, 26 Jun 2002 19:45:02 -0500
> From: Robert Sanders <ro...@telocity.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Re: Authentication checking.
>
> Yeah, this is sort of what I had been thinking. Then I got to looking
> at the Catalina JavaDocs and it seemed to me that if I could get a valid
>
> org.apache.catalina.core.StandardContext Object for the current
> web-app then I could get the SecurityConstraint[] Array using
> findConstraints() and it olooked like I could take it from there.
>
> I know this might be better to ask on the developers list, but what I
> was wondering is :
>
> 1) Can the above be done?
For obvious security reasons, the Catalina internal classes are protected
from access by webapps, unless you are specifically configured as a
"privileged" webapp (like the Manager webapp is).
Obviously, taking this approach ties you to Tomcat, so it's not what I
would recommend doing.
>
> 2) If not is could someone point me to the Tomcat (or Jetty) classes
> that do the parsing of the security constrains for the web.xml so I can
> reuse it, rather than starting from scratch?
>
Catalina uses an instance of Digester (from the commons-digester package)
to parse web.xml (and server.xml). This is set up and used in class
org.apache.catalina.startup.ContextConfig -- see method
createWebDigester() in the 4.1.x sources.
You could emulate this kind of parsing at the application level and still
be portable, because you can get an input stream to the web.xml file like
this:
InputStream is =
getServletContext().getResourceAsStream("/WEB-INF/web.xml");
and pass it to the parsing method of a Digester instance.
> Thanks,
> Robert Sanders.
Craig
>
>
> Craig R. McClanahan wrote:
>
> >Well, you can always parse the "/WEB-INF/web.xml" file yourself to
> >determine what roles are required to access "/reports/invoices.jsp", then
> >use the request.isUserInRole test to check whether the current user has
> >any of the required roles. But there's no standard APIs that do this for
> >you.
> >
> >Craig
> >
> >
>
>
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Authentication checking.
Posted by Robert Sanders <ro...@telocity.com>.
Yeah, this is sort of what I had been thinking. Then I got to looking
at the Catalina JavaDocs and it seemed to me that if I could get a valid
org.apache.catalina.core.StandardContext Object for the current
web-app then I could get the SecurityConstraint[] Array using
findConstraints() and it olooked like I could take it from there.
I know this might be better to ask on the developers list, but what I
was wondering is :
1) Can the above be done?
2) If not is could someone point me to the Tomcat (or Jetty) classes
that do the parsing of the security constrains for the web.xml so I can
reuse it, rather than starting from scratch?
Thanks,
Robert Sanders.
Craig R. McClanahan wrote:
>Well, you can always parse the "/WEB-INF/web.xml" file yourself to
>determine what roles are required to access "/reports/invoices.jsp", then
>use the request.isUserInRole test to check whether the current user has
>any of the required roles. But there's no standard APIs that do this for
>you.
>
>Craig
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Authentication checking.
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 25 Jun 2002, Robert Sanders wrote:
> Date: Tue, 25 Jun 2002 22:00:06 -0500
> From: Robert Sanders <ro...@telocity.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Re: Authentication checking.
>
> Yeah. But what if I don't want my application to worry about "manager",
> "user", "admin" etc... For instance; most of what I do is for an
> intranet site that only my company sees. Because of that it is in a
> state of nearly constant flux. I just want to do some test like :
>
> if ( user.canAccess("/reports/invoices.jsp")) {
> .....
> }
>
Well, you can always parse the "/WEB-INF/web.xml" file yourself to
determine what roles are required to access "/reports/invoices.jsp", then
use the request.isUserInRole test to check whether the current user has
any of the required roles. But there's no standard APIs that do this for
you.
Craig
>
> Craig R. McClanahan wrote:
>
> >On Tue, 25 Jun 2002, Robert Sanders wrote:
> >
> >
> >
> >>Date: Tue, 25 Jun 2002 20:18:08 -0500
> >>From: Robert Sanders <ro...@telocity.com>
> >>Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> >>To: tomcat-user@jakarta.apache.org
> >>Subject: Authentication checking.
> >>
> >>OK; let me describe what I am attempting to do :
> >>
> >>I have sucessfully setup a web application under Tomcat 4. I enabled
> >>JDBCRealm authentication. I defined different roles and assigned users
> >>to them. I limited acces to web access.
> >>
> >>Here is my question : is there a way to programmatically check a URL /
> >>file pattern (using a Tag Libraray / Servlet) such that I could tell if
> >>a user would be able to access the URL? What I'd like is a Tag that
> >>simply hid links that users can not access. I know I could do this by
> >>setting up different, but similar pages and then redirecting based on
> >>user to the correct jsp page, but I'd like something a little more
> >>flexible. I could also roll my own authentication, but this seems
> >>inefficent. I know the solution will be specific to Tomcat, but I plan
> >>on abstracting the logic so that it can be extended to work else where
> >>if needed.
> >>
> >>
> >>
> >
> >The simplest way to accomplish the goal of hiding what the user cannot
> >access anyway is to utilize the request.isUserInRole() method. For
> >example (illustrated using scriptlets, but you could very easily create a
> >tag that did the same thing):
> >
> > <%
> > if (request.isUserInRole("manager")) {
> > %>
> > ... display the options only a manager can see ...
> > <%
> > }
> > %>
> >
> >A tag implementation of this notion would perform the test in the
> >doStartTag() method, and return SKIP_BODY or EVAL_BODY_INCLUDE based on
> >the result of the test.
> >
> >Finally, if you are using Struts <http://jakarta.apache.org/struts>, there
> >is a built in tag that can do exactly this sort of thing, plus a lot more:
> >
> > <logic:present role="manager"/>
> > ... display the options only a manager can see ...
> > </logic:present>
> >
> >
> >
> >>Any help would be much appriciated.
> >>
> >>Robert Sanders
> >>
> >>
> >>
> >
> >Craig McClanahan
> >
> >
> >--
> >To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> >For additional commands, e-mail: <ma...@jakarta.apache.org>
> >
> >
> >
> >
> >
>
>
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Authentication checking.
Posted by Robert Sanders <ro...@telocity.com>.
Yeah. But what if I don't want my application to worry about "manager",
"user", "admin" etc... For instance; most of what I do is for an
intranet site that only my company sees. Because of that it is in a
state of nearly constant flux. I just want to do some test like :
if ( user.canAccess("/reports/invoices.jsp")) {
.....
}
Craig R. McClanahan wrote:
>On Tue, 25 Jun 2002, Robert Sanders wrote:
>
>
>
>>Date: Tue, 25 Jun 2002 20:18:08 -0500
>>From: Robert Sanders <ro...@telocity.com>
>>Reply-To: Tomcat Users List <to...@jakarta.apache.org>
>>To: tomcat-user@jakarta.apache.org
>>Subject: Authentication checking.
>>
>>OK; let me describe what I am attempting to do :
>>
>>I have sucessfully setup a web application under Tomcat 4. I enabled
>>JDBCRealm authentication. I defined different roles and assigned users
>>to them. I limited acces to web access.
>>
>>Here is my question : is there a way to programmatically check a URL /
>>file pattern (using a Tag Libraray / Servlet) such that I could tell if
>>a user would be able to access the URL? What I'd like is a Tag that
>>simply hid links that users can not access. I know I could do this by
>>setting up different, but similar pages and then redirecting based on
>>user to the correct jsp page, but I'd like something a little more
>>flexible. I could also roll my own authentication, but this seems
>>inefficent. I know the solution will be specific to Tomcat, but I plan
>>on abstracting the logic so that it can be extended to work else where
>>if needed.
>>
>>
>>
>
>The simplest way to accomplish the goal of hiding what the user cannot
>access anyway is to utilize the request.isUserInRole() method. For
>example (illustrated using scriptlets, but you could very easily create a
>tag that did the same thing):
>
> <%
> if (request.isUserInRole("manager")) {
> %>
> ... display the options only a manager can see ...
> <%
> }
> %>
>
>A tag implementation of this notion would perform the test in the
>doStartTag() method, and return SKIP_BODY or EVAL_BODY_INCLUDE based on
>the result of the test.
>
>Finally, if you are using Struts <http://jakarta.apache.org/struts>, there
>is a built in tag that can do exactly this sort of thing, plus a lot more:
>
> <logic:present role="manager"/>
> ... display the options only a manager can see ...
> </logic:present>
>
>
>
>>Any help would be much appriciated.
>>
>>Robert Sanders
>>
>>
>>
>
>Craig McClanahan
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Authentication checking.
Posted by "Craig R. McClanahan" <cr...@apache.org>.
Replying to my reply, I forgot to note that the approach suggested below
is ***not*** restricted to Tomcat -- it relies only on standard, portable,
features of the servlet API.
Craig
On Tue, 25 Jun 2002, Craig R. McClanahan wrote:
> Date: Tue, 25 Jun 2002 19:40:06 -0700 (PDT)
> From: Craig R. McClanahan <cr...@apache.org>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Re: Authentication checking.
>
>
>
> On Tue, 25 Jun 2002, Robert Sanders wrote:
>
> > Date: Tue, 25 Jun 2002 20:18:08 -0500
> > From: Robert Sanders <ro...@telocity.com>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > To: tomcat-user@jakarta.apache.org
> > Subject: Authentication checking.
> >
> > OK; let me describe what I am attempting to do :
> >
> > I have sucessfully setup a web application under Tomcat 4. I enabled
> > JDBCRealm authentication. I defined different roles and assigned users
> > to them. I limited acces to web access.
> >
> > Here is my question : is there a way to programmatically check a URL /
> > file pattern (using a Tag Libraray / Servlet) such that I could tell if
> > a user would be able to access the URL? What I'd like is a Tag that
> > simply hid links that users can not access. I know I could do this by
> > setting up different, but similar pages and then redirecting based on
> > user to the correct jsp page, but I'd like something a little more
> > flexible. I could also roll my own authentication, but this seems
> > inefficent. I know the solution will be specific to Tomcat, but I plan
> > on abstracting the logic so that it can be extended to work else where
> > if needed.
> >
>
> The simplest way to accomplish the goal of hiding what the user cannot
> access anyway is to utilize the request.isUserInRole() method. For
> example (illustrated using scriptlets, but you could very easily create a
> tag that did the same thing):
>
> <%
> if (request.isUserInRole("manager")) {
> %>
> ... display the options only a manager can see ...
> <%
> }
> %>
>
> A tag implementation of this notion would perform the test in the
> doStartTag() method, and return SKIP_BODY or EVAL_BODY_INCLUDE based on
> the result of the test.
>
> Finally, if you are using Struts <http://jakarta.apache.org/struts>, there
> is a built in tag that can do exactly this sort of thing, plus a lot more:
>
> <logic:present role="manager"/>
> ... display the options only a manager can see ...
> </logic:present>
>
> > Any help would be much appriciated.
> >
> > Robert Sanders
> >
>
> Craig McClanahan
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Authentication checking.
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 25 Jun 2002, Robert Sanders wrote:
> Date: Tue, 25 Jun 2002 20:18:08 -0500
> From: Robert Sanders <ro...@telocity.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: Authentication checking.
>
> OK; let me describe what I am attempting to do :
>
> I have sucessfully setup a web application under Tomcat 4. I enabled
> JDBCRealm authentication. I defined different roles and assigned users
> to them. I limited acces to web access.
>
> Here is my question : is there a way to programmatically check a URL /
> file pattern (using a Tag Libraray / Servlet) such that I could tell if
> a user would be able to access the URL? What I'd like is a Tag that
> simply hid links that users can not access. I know I could do this by
> setting up different, but similar pages and then redirecting based on
> user to the correct jsp page, but I'd like something a little more
> flexible. I could also roll my own authentication, but this seems
> inefficent. I know the solution will be specific to Tomcat, but I plan
> on abstracting the logic so that it can be extended to work else where
> if needed.
>
The simplest way to accomplish the goal of hiding what the user cannot
access anyway is to utilize the request.isUserInRole() method. For
example (illustrated using scriptlets, but you could very easily create a
tag that did the same thing):
<%
if (request.isUserInRole("manager")) {
%>
... display the options only a manager can see ...
<%
}
%>
A tag implementation of this notion would perform the test in the
doStartTag() method, and return SKIP_BODY or EVAL_BODY_INCLUDE based on
the result of the test.
Finally, if you are using Struts <http://jakarta.apache.org/struts>, there
is a built in tag that can do exactly this sort of thing, plus a lot more:
<logic:present role="manager"/>
... display the options only a manager can see ...
</logic:present>
> Any help would be much appriciated.
>
> Robert Sanders
>
Craig McClanahan
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>