You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by David Kerber <dc...@verizon.net> on 2007/05/08 16:25:47 UTC
ACL (access control list) tutorial or example
I posted this on comp.lang.java.security yesterday, but haven't gotten a
single answer, so I'm hoping you people can help:
I'm trying to implement ACL's in my Tomcat-based webapp, and am having
trouble applying what I read in the docs and in my googling to my
real-life application. Could somebody please point me to a good
tutorial or some example code that shows how to set and check the
permissions (read only vs read/write, administration vs general user,
etc) that a given user will have to access a given object?
I've got the authentication part going with no trouble, but am having
trouble with the access control side of things.
TIA!
Dave
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ACL (access control list) tutorial or example
Posted by Pid <p...@pidster.com>.
David Kerber wrote:
> Pid wrote:
>
>> David Kerber wrote:
>>
>>>
>>> ...
>>>
>>>> There isn't a standard way of doing programmatical security of this
>>>> nature - the nature of it is such that you have to write it yourself.
>>>
>>>
>>> That is essentially what I'm trying to do, using various built-in
>>> tools , such as java.security.acl.*, sun.security.acl.AclImpl,
>>> sun.security.acl.AclEntryImpl, sun.security.acl.PermissionImpl, etc.
>>> I'm just having trouble figuring out how these tools are intended to
>>> be used
>>
>>
>> I wouldn't start there when securing a web application, but other list
>> members might. Sounds like the long route to a solution.
>>
>> The spec defines role based access control; the majority of your
>> problem can be resolved by configuring a Realm and your app so that
>> restrictions can be applied on a URL by URL basis.
>>
>> All of this can be done without having to use 'java.security.acl', but
>> with the facilities provided by Tomcat.
>>
>> I'd recommend looking/trying the realm thing before you proceed.
>
> I'll do that, but one quick question: can the realm thing get user
> information and authenticate against a database? This app has several
> hundred potential users and sites to which they will have access in
> varying combinations.
yup. configure FORM authentication for a nice login page, BASIC for a
browser popup type thing with one of:
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JDBCRealm
Or, if you've (wisely) already setup a DataSource to provide JDBC:
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#DataSourceRealm
p
>>
>>>> Programmatical checks at each read/write point, using username based
>>>> SQL queries if your user can be linked/related to the stock DB,
>>>> it's a logical problem more than Tomcat problem I think.
>>>
>>>
>>> I know it's not primarily a Tomcat problem, which is why I initially
>>> posted in comp.lang.java.security. However, there are still no
>>> responses there after two days.
>>>
>>>
>>> Thanks for the comments!
>>> Dave
>>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: ACL (access control list) tutorial or example
Posted by David Kerber <dc...@verizon.net>.
Pid wrote:
> David Kerber wrote:
>
>>
>> ...
>>
>>> There isn't a standard way of doing programmatical security of this
>>> nature - the nature of it is such that you have to write it yourself.
>>
>>
>> That is essentially what I'm trying to do, using various built-in
>> tools , such as java.security.acl.*, sun.security.acl.AclImpl,
>> sun.security.acl.AclEntryImpl, sun.security.acl.PermissionImpl, etc.
>> I'm just having trouble figuring out how these tools are intended to
>> be used
>
>
> I wouldn't start there when securing a web application, but other list
> members might. Sounds like the long route to a solution.
>
> The spec defines role based access control; the majority of your
> problem can be resolved by configuring a Realm and your app so that
> restrictions can be applied on a URL by URL basis.
>
> All of this can be done without having to use 'java.security.acl', but
> with the facilities provided by Tomcat.
>
> I'd recommend looking/trying the realm thing before you proceed.
I'll do that, but one quick question: can the realm thing get user
information and authenticate against a database? This app has several
hundred potential users and sites to which they will have access in
varying combinations.
>
>>> Programmatical checks at each read/write point, using username based
>>> SQL queries if your user can be linked/related to the stock DB,
>>> it's a logical problem more than Tomcat problem I think.
>>
>>
>> I know it's not primarily a Tomcat problem, which is why I initially
>> posted in comp.lang.java.security. However, there are still no
>> responses there after two days.
>>
>>
>> Thanks for the comments!
>> Dave
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Re: ACL (access control list) tutorial or example
Posted by David Kerber <dc...@verizon.net>.
Pid wrote:
>>>> ...
>>>>
>>>>> There isn't a standard way of doing programmatical security of
>>>>> this nature - the nature of it is such that you have to write it
>>>>> yourself.
>>>>
>>>>
>>>>
>>>> That is essentially what I'm trying to do, using various built-in
>>>> tools , such as java.security.acl.*, sun.security.acl.AclImpl,
>>>> sun.security.acl.AclEntryImpl, sun.security.acl.PermissionImpl,
>>>> etc. I'm just having trouble figuring out how these tools are
>>>> intended to be used
>>>
>>>
>>>
>>> I wouldn't start there when securing a web application, but other
>>> list members might. Sounds like the long route to a solution.
>>>
>>> The spec defines role based access control; the majority of your
>>> problem can be resolved by configuring a Realm and your app so that
>>> restrictions can be applied on a URL by URL basis.
>>
>>
>> In addition to the response I just posted, this app only has about 5
>> different url's (.jsp's), only one of which is restricted to admin
>> users.
>
>
> You can secure any path, including a file URL.
> Are you submitting forms to servlets or JSPs?
servlets.
>
> If you're submitting to servlets (ie separating your logic from your
> views) then it makes it easier to write specific checks for specific
> users.
That's good to know.
>
>> The permissions are to specify which site's information they are able
>> to view on the site information .jsp, and whether or not they can
>> modify that information, not what .jsp they can get to in the first
>> place.
>
>
> How are you currently determining which data to display, a URL
> parameter that specifies the userid/username?
No, the user ID information is set in session attributes, and then they
go to a .jsp that allows them to select from a list of sites to which
they have access, then one which allows them to specify the date they
want to see, and then they finally get to the data display form. The
fields on this page are either editable or not, depending on what their
permission level is for the site they are looking at. The information
is all carried along in the session object. as they went from screen to
screen..
Dave
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[OT] Re: ACL (access control list) tutorial or example
Posted by Pid <p...@pidster.com>.
David Kerber wrote:
> Pid wrote:
>
>> David Kerber wrote:
>>
>>>
>>> ...
>>>
>>>> There isn't a standard way of doing programmatical security of this
>>>> nature - the nature of it is such that you have to write it yourself.
>>>
>>>
>>> That is essentially what I'm trying to do, using various built-in
>>> tools , such as java.security.acl.*, sun.security.acl.AclImpl,
>>> sun.security.acl.AclEntryImpl, sun.security.acl.PermissionImpl, etc.
>>> I'm just having trouble figuring out how these tools are intended to
>>> be used
>>
>>
>> I wouldn't start there when securing a web application, but other list
>> members might. Sounds like the long route to a solution.
>>
>> The spec defines role based access control; the majority of your
>> problem can be resolved by configuring a Realm and your app so that
>> restrictions can be applied on a URL by URL basis.
>
> In addition to the response I just posted, this app only has about 5
> different url's (.jsp's), only one of which is restricted to admin
> users.
You can secure any path, including a file URL.
Are you submitting forms to servlets or JSPs?
If you're submitting to servlets (ie separating your logic from your
views) then it makes it easier to write specific checks for specific users.
> The permissions are to specify which site's information they are
> able to view on the site information .jsp, and whether or not they can
> modify that information, not what .jsp they can get to in the first place.
How are you currently determining which data to display, a URL parameter
that specifies the userid/username?
p
> Dave
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: ACL (access control list) tutorial or example
Posted by David Kerber <dc...@verizon.net>.
Pid wrote:
> David Kerber wrote:
>
>>
>> ...
>>
>>> There isn't a standard way of doing programmatical security of this
>>> nature - the nature of it is such that you have to write it yourself.
>>
>>
>> That is essentially what I'm trying to do, using various built-in
>> tools , such as java.security.acl.*, sun.security.acl.AclImpl,
>> sun.security.acl.AclEntryImpl, sun.security.acl.PermissionImpl, etc.
>> I'm just having trouble figuring out how these tools are intended to
>> be used
>
>
> I wouldn't start there when securing a web application, but other list
> members might. Sounds like the long route to a solution.
>
> The spec defines role based access control; the majority of your
> problem can be resolved by configuring a Realm and your app so that
> restrictions can be applied on a URL by URL basis.
In addition to the response I just posted, this app only has about 5
different url's (.jsp's), only one of which is restricted to admin
users. The permissions are to specify which site's information they are
able to view on the site information .jsp, and whether or not they can
modify that information, not what .jsp they can get to in the first place.
Dave
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ACL (access control list) tutorial or example
Posted by Pid <p...@pidster.com>.
David Kerber wrote:
>
> ...
>
>> There isn't a standard way of doing programmatical security of this
>> nature - the nature of it is such that you have to write it yourself.
>
> That is essentially what I'm trying to do, using various built-in tools
> , such as java.security.acl.*, sun.security.acl.AclImpl,
> sun.security.acl.AclEntryImpl, sun.security.acl.PermissionImpl, etc.
> I'm just having trouble figuring out how these tools are intended to be
> used
I wouldn't start there when securing a web application, but other list
members might. Sounds like the long route to a solution.
The spec defines role based access control; the majority of your problem
can be resolved by configuring a Realm and your app so that restrictions
can be applied on a URL by URL basis.
All of this can be done without having to use 'java.security.acl', but
with the facilities provided by Tomcat.
I'd recommend looking/trying the realm thing before you proceed.
p
>> Programmatical checks at each read/write point, using username based
>> SQL queries if your user can be linked/related to the stock DB, it's
>> a logical problem more than Tomcat problem I think.
>
> I know it's not primarily a Tomcat problem, which is why I initially
> posted in comp.lang.java.security. However, there are still no
> responses there after two days.
>
>
> Thanks for the comments!
> Dave
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: ACL (access control list) tutorial or example
Posted by David Kerber <dc...@verizon.net>.
...
> There isn't a standard way of doing programmatical security of this
> nature - the nature of it is such that you have to write it yourself.
That is essentially what I'm trying to do, using various built-in tools
, such as java.security.acl.*, sun.security.acl.AclImpl,
sun.security.acl.AclEntryImpl, sun.security.acl.PermissionImpl, etc.
I'm just having trouble figuring out how these tools are intended to be used
>
>
> Programmatical checks at each read/write point, using username based
> SQL queries if your user can be linked/related to the stock DB, it's
> a logical problem more than Tomcat problem I think.
I know it's not primarily a Tomcat problem, which is why I initially
posted in comp.lang.java.security. However, there are still no
responses there after two days.
Thanks for the comments!
Dave
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ACL (access control list) tutorial or example
Posted by Pid <p...@pidster.com>.
David Kerber wrote:
> Authentication is done in the java code, checking against the back-end
> database, and I'm trying to build the ACL's for a site as I read the
> site and user information from the db. The only thing tomcat is doing
> is serving up data; no authentication or access controls are set up in
> tomcat itself beyond whatever is there in the default installation.
I'd be tempted to forgo setting up ACLs of some flavour, in favour of
using a JDBCRealm to handle authentication and basic role management.
Configure portions of your application to be available by URL path:
/staff/stuff
/manager/stuff
/admin/stuff
Once you're in a specific (secured path) you could use the stored
username/object to determine which data to display.
There isn't a standard way of doing programmatical security of this
nature - the nature of it is such that you have to write it yourself.
Programmatical checks at each read/write point, using username based SQL
queries if your user can be linked/related to the stock DB, it's a
logical problem more than Tomcat problem I think.
p
> Dave
>
>
> Pid wrote:
>
>> David Kerber wrote:
>>
>>> Thanks for the response, but I don't think either of these are what I
>>> need. My application involves users who need access to the inventory
>>> data for stores throughout the country, and those locations and users
>>> are all stored in a back-end database. All this is managed by java
>>> classes; tomcat and about 5 jsp's are just the front end for 260 or
>>> so java classes that do the grunt work. I need to be able to ensure
>>> that some users only have access to their own stores, while other
>>> users (regional managers, etc) can access all the stores under their
>>> jurisdiction, and system administrators can manage system settings,
>>> etc. I have those permissions set up in the database, but can't
>>> quite work out how to apply them to ACL's and ACLEntries. That's why
>>> I'm looking for a tutorial and/or sample code.
>>> The people who initially wrote this app tried, but didn't seem to get
>>> the permissions handling set up quite right, because any user who
>>> authenticates successfully has unlimited access to their stores, but
>>> some of them should only have read access, and I need to get it
>>> straightened out.
>>
>>
>> How are you doing auth? (E.g. using Tomcat FORM).
>>
>> You'll be wanting some programmatical security then no? You'll have
>> to write some checks for each occasion that a user needs to read or
>> write some data I'd imagine.
>>
>>
>>
>> If you've using the built in auth stuff, then you can use the
>> Principal to identify which roles the user has access to.
>>
>> if (request.isUserInRole( "system_admin" )) {
>> // show a page, do an action, write some data.
>> ...
>> }
>> else {
>> // throw error
>> response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
>> }
>>
>>
>> p
>>
>>
>>
>>> Thanks,
>>> Dave
>>>
>>>
>>> Martin Gainty wrote:
>>>
>>>> Good Morning Dave...
>>>>
>>>> I would start by referencing this link
>>>> http://tomcat.apache.org/tomcat-6.0-doc/cgi-howto.html
>>>>
>>>> either
>>>> setup security in %JAVA_HOME%/lib/security/java.policy and start
>>>> java with security manager enabled e.g.
>>>> JAVA -Djava.security.policy=java.policy
>>>> %CATALINA_HOME%\bin\bootstrap.jar
>>>>
>>>> OR
>>>> read everything you can on configuring
>>>> %CATALINA_HOME%/conf/catalina.policy
>>>> and configure the necessary options in catalina.policy *this link
>>>> should get you started*
>>>> http://tomcat.apache.org/tomcat-4.1-doc/security-manager-howto.html
>>>>
>>>> HTH/
>>>> Martin
>>>> This email message and any files transmitted with it contain
>>>> confidential
>>>> information intended only for the person(s) to whom this email
>>>> message is
>>>> addressed. If you have received this email message in error, please
>>>> notify
>>>> the sender immediately by telephone or email and destroy the original
>>>> message without making a copy. Thank you.
>>>>
>>>> ----- Original Message ----- From: "David Kerber"
>>>> <dc...@verizon.net>
>>>> To: "Tomcat Users List" <us...@tomcat.apache.org>
>>>> Sent: Tuesday, May 08, 2007 10:25 AM
>>>> Subject: ACL (access control list) tutorial or example
>>>>
>>>>
>>>>> I posted this on comp.lang.java.security yesterday, but haven't
>>>>> gotten a single answer, so I'm hoping you people can help:
>>>>>
>>>>> I'm trying to implement ACL's in my Tomcat-based webapp, and am
>>>>> having trouble applying what I read in the docs and in my googling
>>>>> to my real-life application. Could somebody please point me to a
>>>>> good tutorial or some example code that shows how to set and check
>>>>> the permissions (read only vs read/write, administration vs general
>>>>> user, etc) that a given user will have to access a given object?
>>>>>
>>>>> I've got the authentication part going with no trouble, but am
>>>>> having trouble with the access control side of things.
>>>>>
>>>>> TIA!
>>>>> Dave
>>>>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: ACL (access control list) tutorial or example
Posted by David Kerber <dc...@verizon.net>.
Authentication is done in the java code, checking against the back-end
database, and I'm trying to build the ACL's for a site as I read the
site and user information from the db. The only thing tomcat is doing
is serving up data; no authentication or access controls are set up in
tomcat itself beyond whatever is there in the default installation.
Dave
Pid wrote:
> David Kerber wrote:
>
>> Thanks for the response, but I don't think either of these are what I
>> need. My application involves users who need access to the inventory
>> data for stores throughout the country, and those locations and users
>> are all stored in a back-end database. All this is managed by java
>> classes; tomcat and about 5 jsp's are just the front end for 260 or
>> so java classes that do the grunt work. I need to be able to ensure
>> that some users only have access to their own stores, while other
>> users (regional managers, etc) can access all the stores under their
>> jurisdiction, and system administrators can manage system settings,
>> etc. I have those permissions set up in the database, but can't
>> quite work out how to apply them to ACL's and ACLEntries. That's why
>> I'm looking for a tutorial and/or sample code.
>> The people who initially wrote this app tried, but didn't seem to get
>> the permissions handling set up quite right, because any user who
>> authenticates successfully has unlimited access to their stores, but
>> some of them should only have read access, and I need to get it
>> straightened out.
>
>
> How are you doing auth? (E.g. using Tomcat FORM).
>
> You'll be wanting some programmatical security then no? You'll have
> to write some checks for each occasion that a user needs to read or
> write some data I'd imagine.
>
>
>
> If you've using the built in auth stuff, then you can use the
> Principal to identify which roles the user has access to.
>
> if (request.isUserInRole( "system_admin" )) {
> // show a page, do an action, write some data.
> ...
> }
> else {
> // throw error
> response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
> }
>
>
> p
>
>
>
>> Thanks,
>> Dave
>>
>>
>> Martin Gainty wrote:
>>
>>> Good Morning Dave...
>>>
>>> I would start by referencing this link
>>> http://tomcat.apache.org/tomcat-6.0-doc/cgi-howto.html
>>>
>>> either
>>> setup security in %JAVA_HOME%/lib/security/java.policy and start
>>> java with security manager enabled e.g.
>>> JAVA -Djava.security.policy=java.policy
>>> %CATALINA_HOME%\bin\bootstrap.jar
>>>
>>> OR
>>> read everything you can on configuring
>>> %CATALINA_HOME%/conf/catalina.policy
>>> and configure the necessary options in catalina.policy *this link
>>> should get you started*
>>> http://tomcat.apache.org/tomcat-4.1-doc/security-manager-howto.html
>>>
>>> HTH/
>>> Martin
>>> This email message and any files transmitted with it contain
>>> confidential
>>> information intended only for the person(s) to whom this email
>>> message is
>>> addressed. If you have received this email message in error, please
>>> notify
>>> the sender immediately by telephone or email and destroy the original
>>> message without making a copy. Thank you.
>>>
>>> ----- Original Message ----- From: "David Kerber"
>>> <dc...@verizon.net>
>>> To: "Tomcat Users List" <us...@tomcat.apache.org>
>>> Sent: Tuesday, May 08, 2007 10:25 AM
>>> Subject: ACL (access control list) tutorial or example
>>>
>>>
>>>> I posted this on comp.lang.java.security yesterday, but haven't
>>>> gotten a single answer, so I'm hoping you people can help:
>>>>
>>>> I'm trying to implement ACL's in my Tomcat-based webapp, and am
>>>> having trouble applying what I read in the docs and in my googling
>>>> to my real-life application. Could somebody please point me to a
>>>> good tutorial or some example code that shows how to set and check
>>>> the permissions (read only vs read/write, administration vs general
>>>> user, etc) that a given user will have to access a given object?
>>>>
>>>> I've got the authentication part going with no trouble, but am
>>>> having trouble with the access control side of things.
>>>>
>>>> TIA!
>>>> Dave
>>>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ACL (access control list) tutorial or example
Posted by Pid <p...@pidster.com>.
David Kerber wrote:
> Thanks for the response, but I don't think either of these are what I
> need. My application involves users who need access to the inventory
> data for stores throughout the country, and those locations and users
> are all stored in a back-end database. All this is managed by java
> classes; tomcat and about 5 jsp's are just the front end for 260 or so
> java classes that do the grunt work. I need to be able to ensure that
> some users only have access to their own stores, while other users
> (regional managers, etc) can access all the stores under their
> jurisdiction, and system administrators can manage system settings,
> etc. I have those permissions set up in the database, but can't quite
> work out how to apply them to ACL's and ACLEntries. That's why I'm
> looking for a tutorial and/or sample code.
> The people who initially wrote this app tried, but didn't seem to get
> the permissions handling set up quite right, because any user who
> authenticates successfully has unlimited access to their stores, but
> some of them should only have read access, and I need to get it
> straightened out.
How are you doing auth? (E.g. using Tomcat FORM).
You'll be wanting some programmatical security then no? You'll have to
write some checks for each occasion that a user needs to read or write
some data I'd imagine.
If you've using the built in auth stuff, then you can use the Principal
to identify which roles the user has access to.
if (request.isUserInRole( "system_admin" )) {
// show a page, do an action, write some data.
...
}
else {
// throw error
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
p
> Thanks,
> Dave
>
>
> Martin Gainty wrote:
>
>> Good Morning Dave...
>>
>> I would start by referencing this link
>> http://tomcat.apache.org/tomcat-6.0-doc/cgi-howto.html
>>
>> either
>> setup security in %JAVA_HOME%/lib/security/java.policy and start java
>> with security manager enabled e.g.
>> JAVA -Djava.security.policy=java.policy %CATALINA_HOME%\bin\bootstrap.jar
>>
>> OR
>> read everything you can on configuring
>> %CATALINA_HOME%/conf/catalina.policy
>> and configure the necessary options in catalina.policy *this link
>> should get you started*
>> http://tomcat.apache.org/tomcat-4.1-doc/security-manager-howto.html
>>
>> HTH/
>> Martin
>> This email message and any files transmitted with it contain confidential
>> information intended only for the person(s) to whom this email message is
>> addressed. If you have received this email message in error, please
>> notify
>> the sender immediately by telephone or email and destroy the original
>> message without making a copy. Thank you.
>>
>> ----- Original Message ----- From: "David Kerber" <dc...@verizon.net>
>> To: "Tomcat Users List" <us...@tomcat.apache.org>
>> Sent: Tuesday, May 08, 2007 10:25 AM
>> Subject: ACL (access control list) tutorial or example
>>
>>
>>> I posted this on comp.lang.java.security yesterday, but haven't
>>> gotten a single answer, so I'm hoping you people can help:
>>>
>>> I'm trying to implement ACL's in my Tomcat-based webapp, and am
>>> having trouble applying what I read in the docs and in my googling to
>>> my real-life application. Could somebody please point me to a good
>>> tutorial or some example code that shows how to set and check the
>>> permissions (read only vs read/write, administration vs general user,
>>> etc) that a given user will have to access a given object?
>>>
>>> I've got the authentication part going with no trouble, but am having
>>> trouble with the access control side of things.
>>>
>>> TIA!
>>> Dave
>>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: ACL (access control list) tutorial or example
Posted by David Kerber <dc...@verizon.net>.
Thanks for the response, but I don't think either of these are what I
need. My application involves users who need access to the inventory
data for stores throughout the country, and those locations and users
are all stored in a back-end database. All this is managed by java
classes; tomcat and about 5 jsp's are just the front end for 260 or so
java classes that do the grunt work. I need to be able to ensure that
some users only have access to their own stores, while other users
(regional managers, etc) can access all the stores under their
jurisdiction, and system administrators can manage system settings,
etc. I have those permissions set up in the database, but can't quite
work out how to apply them to ACL's and ACLEntries. That's why I'm
looking for a tutorial and/or sample code.
The people who initially wrote this app tried, but didn't seem to get
the permissions handling set up quite right, because any user who
authenticates successfully has unlimited access to their stores, but
some of them should only have read access, and I need to get it
straightened out.
Thanks,
Dave
Martin Gainty wrote:
> Good Morning Dave...
>
> I would start by referencing this link
> http://tomcat.apache.org/tomcat-6.0-doc/cgi-howto.html
>
> either
> setup security in %JAVA_HOME%/lib/security/java.policy and start java
> with security manager enabled e.g.
> JAVA -Djava.security.policy=java.policy %CATALINA_HOME%\bin\bootstrap.jar
>
> OR
> read everything you can on configuring
> %CATALINA_HOME%/conf/catalina.policy
> and configure the necessary options in catalina.policy *this link
> should get you started*
> http://tomcat.apache.org/tomcat-4.1-doc/security-manager-howto.html
>
> HTH/
> Martin
> This email message and any files transmitted with it contain confidential
> information intended only for the person(s) to whom this email message is
> addressed. If you have received this email message in error, please
> notify
> the sender immediately by telephone or email and destroy the original
> message without making a copy. Thank you.
>
> ----- Original Message ----- From: "David Kerber" <dc...@verizon.net>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Tuesday, May 08, 2007 10:25 AM
> Subject: ACL (access control list) tutorial or example
>
>
>> I posted this on comp.lang.java.security yesterday, but haven't
>> gotten a single answer, so I'm hoping you people can help:
>>
>> I'm trying to implement ACL's in my Tomcat-based webapp, and am
>> having trouble applying what I read in the docs and in my googling to
>> my real-life application. Could somebody please point me to a good
>> tutorial or some example code that shows how to set and check the
>> permissions (read only vs read/write, administration vs general user,
>> etc) that a given user will have to access a given object?
>>
>> I've got the authentication part going with no trouble, but am having
>> trouble with the access control side of things.
>>
>> TIA!
>> Dave
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ACL (access control list) tutorial or example
Posted by Martin Gainty <mg...@hotmail.com>.
Good Morning Dave...
I would start by referencing this link
http://tomcat.apache.org/tomcat-6.0-doc/cgi-howto.html
either
setup security in %JAVA_HOME%/lib/security/java.policy and start java with
security manager enabled e.g.
JAVA -Djava.security.policy=java.policy %CATALINA_HOME%\bin\bootstrap.jar
OR
read everything you can on configuring %CATALINA_HOME%/conf/catalina.policy
and configure the necessary options in catalina.policy *this link should get
you started*
http://tomcat.apache.org/tomcat-4.1-doc/security-manager-howto.html
HTH/
Martin
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "David Kerber" <dc...@verizon.net>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Tuesday, May 08, 2007 10:25 AM
Subject: ACL (access control list) tutorial or example
>I posted this on comp.lang.java.security yesterday, but haven't gotten a
>single answer, so I'm hoping you people can help:
>
> I'm trying to implement ACL's in my Tomcat-based webapp, and am having
> trouble applying what I read in the docs and in my googling to my
> real-life application. Could somebody please point me to a good tutorial
> or some example code that shows how to set and check the permissions (read
> only vs read/write, administration vs general user, etc) that a given user
> will have to access a given object?
>
> I've got the authentication part going with no trouble, but am having
> trouble with the access control side of things.
>
> TIA!
> Dave
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ACL (access control list) tutorial or example
Posted by Zachary Grafton <za...@gmail.com>.
On Tuesday 08 May 2007 10:25, David Kerber wrote:
> I posted this on comp.lang.java.security yesterday, but haven't gotten a
> single answer, so I'm hoping you people can help:
>
> I'm trying to implement ACL's in my Tomcat-based webapp, and am having
> trouble applying what I read in the docs and in my googling to my
> real-life application. Could somebody please point me to a good
> tutorial or some example code that shows how to set and check the
> permissions (read only vs read/write, administration vs general user,
> etc) that a given user will have to access a given object?
>
> I've got the authentication part going with no trouble, but am having
> trouble with the access control side of things.
>
> TIA!
> Dave
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Dave,
I'm not a security expert or anything like that, but you might want to look
into the Java Authentication and Authorization API. While it may not be the
best solution, it might work better for what you are trying to do.
Here's an url that might be a start:
ftp://ftp.oreilly.com/pub/conference/java2001/Rich_Jaas.pdf
Good Luck,
Zack
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org