You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Harwood <ma...@totalise.co.uk> on 2003/01/10 13:14:25 UTC
Proposal: CanAccessLink(..) test
Its cool having authorisation restrictions enforced when accessing a page but
it would also be useful to query these restrictions when choosing to offer a
link in other pages.
I have an implementation which offers this query capability based on a hack of
Tomcat authorisation code. The method signature is:
boolean canIAccess(String url, String method, HttpServletRequest
currentRequest, ServletContext context)
Is this sort of thing worth rolling into Tomcat somewhere? Without such a
feature you effectively end up declaring security restrictions twice - once in
web.xml declarations and once in pages that choose to offer links to these
secured pages.
Cheers
Mark Harwood
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Proposal: CanAccessLink(..) test
Posted by Jeanfrancois Arcand <jf...@apache.org>.
Hi Marki, see inline
Mark Harwood wrote:
>Its cool having authorisation restrictions enforced when accessing a page but
>it would also be useful to query these restrictions when choosing to offer a
>link in other pages.
>
>I have an implementation which offers this query capability based on a hack of
>Tomcat authorisation code. The method signature is:
>
>boolean canIAccess(String url, String method, HttpServletRequest
>currentRequest, ServletContext context)
>
>
>Is this sort of thing worth rolling into Tomcat somewhere? Without such a
>feature you effectively end up declaring security restrictions twice - once in
>web.xml declarations and once in pages that choose to offer links to these
>secured pages.
>
-1 for portable reason. The security mechanism will not work the same
way if I define my web app using Tomcat and then moving it under another
Servlet container. Some user may think their application are secure
under Tomcat, and then move it to another container (security issue).
If you think that every Servlet container should support your method,
you can submit your proposal to jsr-154-comments@jcp.org
<ma...@jcp.org>
If other tomcat-dev are interested to your proposal, at least make that
behaviour optional and turned off by default :-)
-- Jeanfrancois
>
>Cheers
>Mark Harwood
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>