RE: How can i do.....? ( from the famous series of silly question s by nacho)

[Nacho <na...@siapi.es>]

hi, Craig, 

Please read the mesagge below, i'm saying some silly things but i dont
catch what and why, or i'm saying it in a manner that is so .. , can you
point me in the right direction? as you smartly has done...:-).

Saludos ,
Ignacio J. Ortega





> -----Mensaje original-----
> De: Nacho [mailto:nacho@siapi.es]
> Enviado el: sábado 20 de mayo de 2000 23:34
> Para: 'tomcat-dev@jakarta.apache.org'
> Asunto: How can i do.....? ( from the famous series of silly questions
> by nacho)
> 
> 
> Hi, All
> 
> How can i do security-constraints dynamic? What i can say with this? 
> 
> i want to change security-constraints dynamically in a web site, that
> this in the actual incarnation of tomcat every change to the web.xml
> file of a webapp leads to a reloading of the server, is this right ?? 
> 
> Well, Imagine, How can i administer the security-constraints 
> of a webapp
> without restarting in same manner the server?? or perhaps in 
> the future
> only the affected context? 
> 
> I want to implement this kind of dynamic security in my webapp, i want
> to store the security-constraint fragment of the web.xml file 
> i.e. in a
> database or perhaps on JNDI context or..., i like to describe ( to my
> work colleagues ) the actual status of tomcat security as "STATIC"
> security, i want make tomcat work like a FileSystem works in a SO,
> imagine restarting the system whenever security of files changes...
> 
> 
> As i can read the DTD of web.xml and therefore of the manner of
> security-constraints are implemented in tomcat belongs to the
> Servlet&JSP spec, this mean that i need a thing that is not in the
> spec???? what a surprise. ;-)
> 
> Can anyone give me a hint about how can i do what i want?
> 
> 
> Saludos ,
> Ignacio J. Ortega
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 

Re: How can i do.....? ( from the famous series of silly questions by nacho)

["Craig R. McClanahan" <Cr...@eng.sun.com>]

See below.

Nacho wrote:

> hi, Craig,
>
> Please read the mesagge below, i'm saying some silly things but i dont
> catch what and why, or i'm saying it in a manner that is so .. , can you
> point me in the right direction? as you smartly has done...:-).
>
> Saludos ,
> Ignacio J. Ortega
>
> > -----Mensaje original-----
> > De: Nacho [mailto:nacho@siapi.es]
> > Enviado el: sábado 20 de mayo de 2000 23:34
> > Para: 'tomcat-dev@jakarta.apache.org'
> > Asunto: How can i do.....? ( from the famous series of silly questions
> > by nacho)
> >
> >
> > Hi, All
> >
> > How can i do security-constraints dynamic? What i can say with this?
> >

There are at least two kinds of dynamic security to be considered here:

(1) Changes to users and their passwords and/or roles.

(2) Changes in the security constraints (i.e. what URLs are protected
     by what roles.

For the first case, it is fairly simple if the underlying realm of
usernames/passwords/roles supports write access.  This is not true of the
"MemoryRealm" included in Tomcat 3.1 (it only reads the file at startup
time), but if you are using a different realm (such as the JDBC realm that
was recently contributed to Catalina) this will work just fine.  The same
would generally be true of a JNDI based implentation.

As an example, consider that you want to build a portal site where users can
self register.  Your registration servlet would store the new user in the
database, and it would then be immediately visible for authentication and
access control when the user tried to access a protected page.

The second case is more complicated.  There is no mechanism to dynamically
change security constraints in a portable manner -- the web.xml file is only
read at application startup time.  However, your servlet container may
support the ability (through internal APIs) to add, change, or remove
security constraints that are currently in force while the app is running.
(Tomcat does not allow this, but Catalina does, for example).  You'll have
to do system level programming in a manner specific to your particular
container to accomplish this -- therefore, you should really be thinking
through how important it really is.  Can you accomplish what you want with
just dynamic changes to users and the roles they have been assigned, or do
you absolutely have to change security constraints themselves.

One place where change happens a lot is during development -- as you add new
pages, you want to test your security related code too.  However, nothing
stops you from putting in security constraints that deal with pages that do
not exist yet -- so a useful strategy would be to set up (ahead of time) all
the constraints that cover the pages I am about to work on, start the
servlet container, and go to work.  As long as you can do a reasonable
amount of planning ahead, you won't have to restart your container very
often (I find myself changing servlet init parameters much more often than I
do security constraints).

Now if there was only a way to force a webapp to reload when web.xml is
changed ... I will add that to the Catalina "nice to have" list.

Craig