You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Eelco <to...@planet.nl> on 2003/09/08 18:06:40 UTC
JDBCRealm and dynamic resources/roles
Hello.
I am working on a web application that creates directories with
resources (mainly Gifs)
in it. When creating new directories, i.e. "res1" and "res2", I need new
userroles as well, i.e. res1_viewer and res2_viewer.
Now if somebody logs in as a res1_viewer, how can I make sure that he or
she only has access
to those resources he or she has the proper rights for? And NOT the
resources in directory
res2. I.e. by typing the direct URL to the GIF in the address bar of the
browser.
The problem is that the new security constraint for the created
directories are
in web.xml and this file is only read at application/tomcat startup.
I found a post from 3 years ago, written by somebody with more or less
the
same question at:
http://w6.metronet.com/~wjm/tomcat/2000/May/msg00502.html
Here the replier advices to do something like a Context Restart.
My question is: is this still the best way? If this (old) thread is
really outdated, what would
be the right way to proceed with this problem? Should I extend/implement
JDBCRealm?
I am using Tomcat 4.1 on Windows/Linux/Unix with JDK 1.3.1_08
Any help will be greatly appreciated!
Regards,
Eelco
RE: JDBCRealm and dynamic resources/roles
Posted by Eelco <to...@planet.nl>.
Hi,
this is me again.
I just wanted to say that I found out that web.xml is ALWAYS
read at least for the security settings (I only tested for that)
This also seems independent of the flag in server.xml where you can
set reloadable to false.
So the good news is, that you can have variable roles and you don't
even have to do a context restart.
Regards,
Eelco
Hier my previous post:
> Hello.
>
> I am working on a web application that creates directories with
> resources (mainly Gifs)
> in it. When creating new directories, i.e. "res1" and "res2",
> I need new
>
> userroles as well, i.e. res1_viewer and res2_viewer.
>
> Now if somebody logs in as a res1_viewer, how can I make sure
> that he or
> she only has access
> to those resources he or she has the proper rights for? And NOT the
> resources in directory
> res2. I.e. by typing the direct URL to the GIF in the address
> bar of the
> browser.
>
> The problem is that the new security constraint for the created
> directories are
> in web.xml and this file is only read at application/tomcat startup.
>
> I found a post from 3 years ago, written by somebody with more or less
> the
> same question at:
>
http://w6.metronet.com/~wjm/tomcat/2000/May/msg00502.html
Here the replier advices to do something like a Context Restart.
My question is: is this still the best way? If this (old) thread is
really outdated, what would
be the right way to proceed with this problem? Should I extend/implement
JDBCRealm?
I am using Tomcat 4.1 on Windows/Linux/Unix with JDK 1.3.1_08
Any help will be greatly appreciated!
Regards,
Eelco
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org