• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Managing authorization

 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sounds like a very very simple question for you gurus.
I plan to use J2EE declarative authorization.
1) I've got protected Web resources (jsps). Only the role "admin" can access it.
What occurs if a user associated to another role try to access it.
Is it a HTTP 403 error ? If yes, how can I send the error page in a user-friendly form ?
Do I have to use the < exception-type > 403 < exception-type > to associate it to my "beautiful html page" or is there something else better to implement ?
2) Let's say I have the same authorization rule for an EJB method this time.
What occurs when a usre not in the admin role try to access the EJB ? Any specific exception ?
Maybe I'm out of the track.
If you know a better way to manage authorization for web application, please give me clues or urls to refer to.
(My aim is to avoid programmatic security.)
[This message has been edited by Bill Bailey (edited December 19, 2001).]
[This message has been edited by Bill Bailey (edited December 19, 2001).]
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Should I rather use an Intercepting Filter to manage authorizations ?
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sounds like I'm alone with this thread
The answer to question 2 is : java.lang.SecurityException
I'm still a little bit confused with authorization process.
I think the J2EE specification is fuzzy about that part.
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
oK, I think I got it now.
Accessing protected resource :
- Error.jsp dispayed is auhentication failed
- Http 403 if authentication succeed and authorization failed
- Protected resource displayed if both succeed.
(This is how it is inplemented in AppServers, but I can't see any reliable info in the specs about the http 403 error)

Sorry if I bothered you with my rookie problem
[This message has been edited by Bill Bailey (edited December 21, 2001).]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic