You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John MccLain <jm...@tcshealthcare.com> on 2004/02/25 01:03:41 UTC
security-constraint node question
How would I get Tomcat to use a database table instead of the web or server
.xml files' <security-constraint>.<auth-constraint>.<role-name> to enforce
authorization? I would prefer to have objects in my webapp to have
configurable authorization applied to them outside of tomcat configuration
files; Done more like JDBCRealm authentication.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: security-constraint node question
Posted by Tim Funk <fu...@joedog.org>.
You would need to combine to security philosphies
- container based security
- programmer based security
The first is done via web.xml and mathcing URL's against given roles. When
that is not enough, then you need to use programmtic security. You use the
HttpServletRequest objects instance method's getPrincipal, getRemoteUser, or
isUserInRole to decide ig the user can do what you want.
The jey point is the servlet spec only places security constraint on the
*incoming* URL. (for 2.3 --> tomcat 4.x)
-Tim
John MccLain wrote:
> How would I get Tomcat to use a database table instead of the web or server
> .xml files' <security-constraint>.<auth-constraint>.<role-name> to enforce
> authorization? I would prefer to have objects in my webapp to have
> configurable authorization applied to them outside of tomcat configuration
> files; Done more like JDBCRealm authentication.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org