You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Eelco <to...@planet.nl> on 2003/09/08 18:06:40 UTC

JDBCRealm and dynamic resources/roles

Hello.

I am working on a web application that creates directories with
resources (mainly Gifs)
in it. When creating new directories, i.e. "res1" and "res2", I need new

userroles as well, i.e. res1_viewer and res2_viewer.

Now if somebody logs in as a res1_viewer, how can I make sure that he or
she only has access 
to those resources he or she has the proper rights for? And NOT the
resources in directory 
res2. I.e. by typing the direct URL to the GIF in the address bar of the
browser.

The problem is that the new security constraint for the created
directories are 
in web.xml and this file is only read at application/tomcat startup.

I found a post from 3 years ago, written by somebody with more or less
the
same question at: 

http://w6.metronet.com/~wjm/tomcat/2000/May/msg00502.html

Here the replier advices to do something like a Context Restart.

My question is: is this still the best way? If this (old) thread is
really outdated, what would
be the right way to proceed with this problem? Should I extend/implement
JDBCRealm?

I am using Tomcat 4.1 on Windows/Linux/Unix with JDK 1.3.1_08

Any help will be greatly appreciated!

Regards,

Eelco

RE: JDBCRealm and dynamic resources/roles

Posted by Eelco <to...@planet.nl>.

Hi,

this is me again.

I just wanted to say that I found out that web.xml is ALWAYS
read at least for the security settings (I only tested for that)

This also seems independent of the flag in server.xml where you can
set reloadable to false.

So the good news is, that you can have variable roles and you don't
even have to do a context restart.

Regards,

Eelco


Hier my previous post:

> Hello.
> 
> I am working on a web application that creates directories with
> resources (mainly Gifs)
> in it. When creating new directories, i.e. "res1" and "res2", 
> I need new
> 
> userroles as well, i.e. res1_viewer and res2_viewer.
> 
> Now if somebody logs in as a res1_viewer, how can I make sure 
> that he or
> she only has access 
> to those resources he or she has the proper rights for? And NOT the
> resources in directory 
> res2. I.e. by typing the direct URL to the GIF in the address 
> bar of the
> browser.
> 
> The problem is that the new security constraint for the created
> directories are 
> in web.xml and this file is only read at application/tomcat startup.
> 
> I found a post from 3 years ago, written by somebody with more or less
> the
> same question at: 
> 
http://w6.metronet.com/~wjm/tomcat/2000/May/msg00502.html

Here the replier advices to do something like a Context Restart.

My question is: is this still the best way? If this (old) thread is
really outdated, what would
be the right way to proceed with this problem? Should I extend/implement
JDBCRealm?

I am using Tomcat 4.1 on Windows/Linux/Unix with JDK 1.3.1_08

Any help will be greatly appreciated!

Regards,

Eelco


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org