File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Setting Security in Jakarta Tomcat 4.1.18 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Setting Security in Jakarta Tomcat 4.1.18" Watch "Setting Security in Jakarta Tomcat 4.1.18" New topic

Setting Security in Jakarta Tomcat 4.1.18

Bob Robertson

Joined: May 16, 2004
Posts: 17

I am trying to manipulate a web site by having the Tomcat users file control who gets to see certain pages on the site depending on their role. This is just for a pilot so the users are just being recorded right in the file.

I am implementing a controller/command pattern where each command class forwards the user to the appropriate page.

If a users types in a url for the page, they are presented a login dialog. If a user tries to access a page from the menu, and is forward to the page via the Controller servlet, they are able to bypass security. The URLs embedded into the pages are "./controller?cmd=ViewDetails". Otherwise there is a servlet mapping that each command class returns the to controller in the format of /viewDetails.

Here is the xml.

Any ideas on how to still user the controller servlet to forward users to various pages while still being able to lockdown individual pages?

Thanks for the help!

Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

This is the big gotcha with container-managed AUTH and URL mappings. ie: The only way to accomplish differentiated, container-managed AUTH is through setting up different URL mappings.

so your command and control servlet (which is known through a single mapping) is . You're looking at programmatic security. With this angle, you need to authenticate on /*, and then use request.isUserInRole("") in your c+c servlet.

What you might consider though, is providing *multiple* mappings for the control servlet. I know this is really "not the point", but it *would* allow the container AUTH to distinguish (since it can't distinguish something in the query string).

so you'd have in your web.xml:

Or was that not what you were asking?
I agree. Here's the link:
subject: Setting Security in Jakarta Tomcat 4.1.18
It's not a secret anymore!