You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Henrique, Manuel" <Ma...@logicacmg.com> on 2005/04/18 17:08:51 UTC
user management
Hello all,
I try again because it seems that my message wasn't received. I am sorry for
the inconvenience if you have already receive my message.
So here is my problem. I hope someone could help me:
Hello,
I dont know if it's you I need to contact but it make 3 days I am trying to
solve this issue and I cant.
I got an old intranet/resin/struts/java application and I need to migrate it
to Tomcat 5.0/Struts 1.1/java 1.4.2 on a Windows platform (sorry it's not me
who chooses).
My question concern the security.
In the old version I have:
into web.xml:
<security-constraint>
<constraint>
<class-name>com.erdv.security.CustomSecurity</class-name>
<init-param userGroup='administrator'/>
</constraint>
<web-resource-collection>
<web-resource-name>Manager access control
config</web-resource-name>
<url-pattern>/erdv/feedback_admin</url-pattern>
<url-pattern>/erdv/feedback_detail</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<constraint>
<class-name>com.erdv.security.CustomSecurity</class-name>
<init-param userGroup='ods_administrator'/>
</constraint>
<web-resource-collection>
<web-resource-name>Manager access control
config</web-resource-name>
<url-pattern>/erdv/ods_creatdoc</url-pattern>
<url-pattern>/erdv/ods_upddoc</url-pattern>
<url-pattern>/erdv/ods_creatresult</url-pattern>
<url-pattern>/erdv/ods_updresult</url-pattern>
</web-resource-collection>
</security-constraint>
etc...
So when I need to add a file to a userGroup I just need to add the path to
the right block.
Into the CustomSecurity security class (quick summarize):
public class CustomSecurity extends AbstractConstraint {
public CustomSecurity(){}
public void setUserGroup (String userGroup){
this.userGroup=userGroup;
}
public boolean isAuthorized(HttpServletRequest request,
HttpServletResponse response,
ServletContext application) throws
ServletException, IOException
{
HttpSession userSession = request.getSession();
String email = request.getHeader("uid");
String login = (String)userSession.getAttribute("LOGIN");
String usel = GetFromDatabaseTheUserLevel(login);
if ( usel == Usergroup){
return true;
}
response.sendError(response.SC_FORBIDDEN);
return false;
}
}
My problems are:
1 - the AbstractConstraint class that extends the CustomSecurity class is a
resin class. So I cant find an equivalent into Tomcat
2 - I try to understand how does it works with the web.xml file. I find lot
of documentation that explains that the security level is managed by the
web.wml, etc... but no one explain how does it works. How the hell it gets
the information from the web.xml? How the userlevals are managed? etc...
3 - How can I do to have with Tomcat a similar way of security management.
What I need is to put into web.xml the paths for userslevel, and check
WITHOUT PROMPTING SOMETHING the user level with his known level into our
database.
I hope you can help me even if my questions seems very easy because I'm a
beginner in Tomcat/Java.
Regards,
Manuel
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org