This week's giveaway is in the Testing forum.
We're giving away four copies of TDD for a Shopping Website LiveProject and have Steven Solomon on-line!
See this thread for details.
Win a copy of TDD for a Shopping Website LiveProject this week in the Testing forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
  • Piet Souris
  • Himai Minh

Setting Security in Jakarta Tomcat 4.1.18

Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I am trying to manipulate a web site by having the Tomcat users file control who gets to see certain pages on the site depending on their role. This is just for a pilot so the users are just being recorded right in the file.

I am implementing a controller/command pattern where each command class forwards the user to the appropriate page.

If a users types in a url for the page, they are presented a login dialog. If a user tries to access a page from the menu, and is forward to the page via the Controller servlet, they are able to bypass security. The URLs embedded into the pages are "./controller?cmd=ViewDetails". Otherwise there is a servlet mapping that each command class returns the to controller in the format of /viewDetails.

Here is the xml.

Any ideas on how to still user the controller servlet to forward users to various pages while still being able to lockdown individual pages?

Thanks for the help!

Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is the big gotcha with container-managed AUTH and URL mappings. ie: The only way to accomplish differentiated, container-managed AUTH is through setting up different URL mappings.

so your command and control servlet (which is known through a single mapping) is . You're looking at programmatic security. With this angle, you need to authenticate on /*, and then use request.isUserInRole("") in your c+c servlet.

What you might consider though, is providing *multiple* mappings for the control servlet. I know this is really "not the point", but it *would* allow the container AUTH to distinguish (since it can't distinguish something in the query string).

so you'd have in your web.xml:

Or was that not what you were asking?
Watchya got in that poodle gun? Anything for me? Or this tiny ad?
free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earth
    Bookmark Topic Watch Topic
  • New Topic