You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Riaan Oberholzer <ri...@yahoo.com> on 2003/12/19 08:55:32 UTC
Realms question
Hi,
I have a web-app that defines different roles, so a
user do not have access to all jsp/servlets in the
web-app. Depending on his role. An admin user e.g. can
see pages to edit data, while a 'normal' user can only
view it.
What's the best way to enforce this security?
I am no doing it by storing the user object (once
logged in) in the session and per jsp/servlet checking
his status as the very first action. Its works well,
so should I keep this or move to using a realm?
If I do move to a Realm, I assume I would have to set
up a security constraint for every jsp/servlet (or
groups thereof? Any hints & tips to optimize this?
Thanks
__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Realms question
Posted by Duncan Smith <ds...@deckertelecom.net>.
If you switch to using a realm, you can use wildcards in the constraints
so that it applies to a whole directory?
Whether this is useful obviously depend on whether you have all your JSPs
in the same directory or you could have a *.jsp wildcard to cover all
jsps. Will depend on your naming conventions for the servlets.
- Duncan
www.pennymail.com
Riaan Oberholzer wrote:
> Hi,
>
> I have a web-app that defines different roles, so a
> user do not have access to all jsp/servlets in the
> web-app. Depending on his role. An admin user e.g. can
> see pages to edit data, while a 'normal' user can only
> view it.
>
> What's the best way to enforce this security?
>
> I am no doing it by storing the user object (once
> logged in) in the session and per jsp/servlet checking
> his status as the very first action. Its works well,
> so should I keep this or move to using a realm?
>
> If I do move to a Realm, I assume I would have to set
> up a security constraint for every jsp/servlet (or
> groups thereof? Any hints & tips to optimize this?
>
> Thanks
>
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org