• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

Setting Security in Jakarta Tomcat 4.1.18

Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I am trying to manipulate a web site by having the Tomcat users file control who gets to see certain pages on the site depending on their role. This is just for a pilot so the users are just being recorded right in the file.

I am implementing a controller/command pattern where each command class forwards the user to the appropriate page.

If a users types in a url for the page, they are presented a login dialog. If a user tries to access a page from the menu, and is forward to the page via the Controller servlet, they are able to bypass security. The URLs embedded into the pages are "./controller?cmd=ViewDetails". Otherwise there is a servlet mapping that each command class returns the to controller in the format of /viewDetails.

Here is the xml.

Any ideas on how to still user the controller servlet to forward users to various pages while still being able to lockdown individual pages?

Thanks for the help!

Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is the big gotcha with container-managed AUTH and URL mappings. ie: The only way to accomplish differentiated, container-managed AUTH is through setting up different URL mappings.

so your command and control servlet (which is known through a single mapping) is . You're looking at programmatic security. With this angle, you need to authenticate on /*, and then use request.isUserInRole("") in your c+c servlet.

What you might consider though, is providing *multiple* mappings for the control servlet. I know this is really "not the point", but it *would* allow the container AUTH to distinguish (since it can't distinguish something in the query string).

so you'd have in your web.xml:

Or was that not what you were asking?
Liar, liar, pants on fire! refreshing plug:
a bit of art, as a gift, the permaculture playing cards
    Bookmark Topic Watch Topic
  • New Topic