You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Mark Harwood <ma...@totalise.co.uk> on 2003/01/10 13:14:25 UTC

Proposal: CanAccessLink(..) test

Its cool having authorisation restrictions enforced when accessing a page but 
it would also be useful to query these restrictions when choosing to offer a 
link in other pages.

I have an implementation which offers this query capability based on a hack of 
Tomcat authorisation code. The method signature is:

boolean canIAccess(String url, String method, HttpServletRequest 
currentRequest, ServletContext context)


Is this sort of thing worth rolling into Tomcat somewhere? Without such a 
feature you effectively end up declaring security restrictions twice - once in 
web.xml declarations and once in pages that choose to offer links to these 
secured pages.

Cheers
Mark Harwood


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Proposal: CanAccessLink(..) test

Posted by Jeanfrancois Arcand <jf...@apache.org>.

Hi Marki, see inline

Mark Harwood wrote:

>Its cool having authorisation restrictions enforced when accessing a page but 
>it would also be useful to query these restrictions when choosing to offer a 
>link in other pages.
>
>I have an implementation which offers this query capability based on a hack of 
>Tomcat authorisation code. The method signature is:
>
>boolean canIAccess(String url, String method, HttpServletRequest 
>currentRequest, ServletContext context)
>
>
>Is this sort of thing worth rolling into Tomcat somewhere? Without such a 
>feature you effectively end up declaring security restrictions twice - once in 
>web.xml declarations and once in pages that choose to offer links to these 
>secured pages.
>
-1 for portable reason. The security mechanism will not work the same 
way if I define my web app using Tomcat and then moving it under another 
Servlet container. Some user may think their application are secure 
under Tomcat, and then move it to another container (security issue).

If you think that every Servlet container should support your method, 
you can submit your proposal to jsr-154-comments@jcp.org 
<ma...@jcp.org>

If other tomcat-dev are interested to your proposal,  at least make that 
behaviour optional and turned off by default :-)

-- Jeanfrancois




>
>Cheers
>Mark Harwood
>
>
>--
>To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>  
>