You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by af...@zipmail.com on 2002/12/12 20:38:24 UTC
Configuring Security URLs (realm)
Hi,
I want to know if there is a way to manage authorization to
URL + Parameters.
I am using servlets and states to identify the action in my
programs, so this is very important.
For now I am using this XML:
<security-constraint>
<web-resource-collection>
<web-resource-name>Sample Airlines</web-resource-name>
<url-pattern>/servlet/examples.reservaVoos.Servlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
I need something like:
...
<url-pattern>/servlet/examples.reservaVoos.Servlet?STATE=0</url-pattern>
...
Is there a way to do that???
Thanks.
________________________________________________
Don't E-Mail, ZipMail! http://www.zipmail.com/
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Configuring Security URLs (realm)
Posted by af...@zipmail.com.
OK! ;)
Thanks everybody, I will look for alternatives. But I will
probably add a feature of resource(URI) with the user and
passwd. Then use filter to complement the authorization.
On Fri, 13 Dec 2002 01:55:56 -0800
"Bill Barker" <wb...@wilshire.com> wrote:
>Probably easier is to just check the condition in your
> Servlet and/or
>Filter:
> String st = (String)request.getParameter("STATE");
> if( st == null) {
> response.sendError( 401, "No State");
> return;
> }
> int state=-1;
> try {
> state = Integer.parseInt(st);
> } catch(NumberFormatExecption nfe) {
> response.sendError(401, "Not Authenticated");
> return;
> }
> if( !validState(state) ) { // your code to validate the
> STATE param.
> response.sendError(403, "Hackers not welcome");
> return;
> }
> // Your code here.
>
>"Jeanfrancois Arcand" <jf...@apache.org> wrote in
> message
>news:3DF97875.6020306@apache.org...
>> No. You cannot (it's against the Servlet spec). If you
> realy needs it,
>> you can download Tomcat code and customizes
>> o.a.c.authenticator.AuthenticatorBase.invoke in Tomcat
> 4, and
>> o.a.c.realm.RealmBase.hasResourcePermission in Tomcat 5.
>>
>> -- Jeanfrancois
>>
>> afterz@zipmail.com wrote:
>>
>> >Hi,
>> >I want to know if there is a way to manage
> authorization to
>> > URL + Parameters.
>> >I am using servlets and states to identify the action
> in my
>> > programs, so this is very important.
>> >
>> >For now I am using this XML:
>> >
>> ><security-constraint>
>> > <web-resource-collection>
>> > <web-resource-name>Sample
> Airlines</web-resource-name>
>> >
>
<url-pattern>/servlet/examples.reservaVoos.Servlet</url-pattern>
>> > </web-resource-collection>
>> > <auth-constraint>
>> > <role-name>manager</role-name>
>> > </auth-constraint>
>> ></security-constraint>
>> >
>> >I need something like:
>> > ...
>> >
><url-pattern>/servlet/examples.reservaVoos.Servlet?STATE=0</url-pattern>
>> > ...
>> >
>> >Is there a way to do that???
>> >Thanks.
>> >________________________________________________
>> >Don't E-Mail, ZipMail! http://www.zipmail.com/
>> >
>> >--
>> >To unsubscribe, e-mail:
><ma...@jakarta.apache.org>
>> >For additional commands, e-mail:
><ma...@jakarta.apache.org>
>> >
>> >
>> >
>> >
>
>
>
>
>
>--
>To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
>For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
________________________________________________
Don't E-Mail, ZipMail! http://www.zipmail.com/
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Configuring Security URLs (realm)
Posted by Bill Barker <wb...@wilshire.com>.
Probably easier is to just check the condition in your Servlet and/or
Filter:
String st = (String)request.getParameter("STATE");
if( st == null) {
response.sendError( 401, "No State");
return;
}
int state=-1;
try {
state = Integer.parseInt(st);
} catch(NumberFormatExecption nfe) {
response.sendError(401, "Not Authenticated");
return;
}
if( !validState(state) ) { // your code to validate the STATE param.
response.sendError(403, "Hackers not welcome");
return;
}
// Your code here.
"Jeanfrancois Arcand" <jf...@apache.org> wrote in message
news:3DF97875.6020306@apache.org...
> No. You cannot (it's against the Servlet spec). If you realy needs it,
> you can download Tomcat code and customizes
> o.a.c.authenticator.AuthenticatorBase.invoke in Tomcat 4, and
> o.a.c.realm.RealmBase.hasResourcePermission in Tomcat 5.
>
> -- Jeanfrancois
>
> afterz@zipmail.com wrote:
>
> >Hi,
> >I want to know if there is a way to manage authorization to
> > URL + Parameters.
> >I am using servlets and states to identify the action in my
> > programs, so this is very important.
> >
> >For now I am using this XML:
> >
> ><security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Sample Airlines</web-resource-name>
> > <url-pattern>/servlet/examples.reservaVoos.Servlet</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>manager</role-name>
> > </auth-constraint>
> ></security-constraint>
> >
> >I need something like:
> > ...
> >
<url-pattern>/servlet/examples.reservaVoos.Servlet?STATE=0</url-pattern>
> > ...
> >
> >Is there a way to do that???
> >Thanks.
> >________________________________________________
> >Don't E-Mail, ZipMail! http://www.zipmail.com/
> >
> >--
> >To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> >For additional commands, e-mail:
<ma...@jakarta.apache.org>
> >
> >
> >
> >
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Configuring Security URLs (realm)
Posted by Jeanfrancois Arcand <jf...@apache.org>.
No. You cannot (it's against the Servlet spec). If you realy needs it,
you can download Tomcat code and customizes
o.a.c.authenticator.AuthenticatorBase.invoke in Tomcat 4, and
o.a.c.realm.RealmBase.hasResourcePermission in Tomcat 5.
-- Jeanfrancois
afterz@zipmail.com wrote:
>Hi,
>I want to know if there is a way to manage authorization to
> URL + Parameters.
>I am using servlets and states to identify the action in my
> programs, so this is very important.
>
>For now I am using this XML:
>
><security-constraint>
> <web-resource-collection>
> <web-resource-name>Sample Airlines</web-resource-name>
> <url-pattern>/servlet/examples.reservaVoos.Servlet</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>manager</role-name>
> </auth-constraint>
></security-constraint>
>
>I need something like:
> ...
> <url-pattern>/servlet/examples.reservaVoos.Servlet?STATE=0</url-pattern>
> ...
>
>Is there a way to do that???
>Thanks.
>________________________________________________
>Don't E-Mail, ZipMail! http://www.zipmail.com/
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>