Re: Help: auth-constraint with Tomcat 6

2009-06-24 Thread Clement Chong
Hi Tim, Good suggestion! I'll look into it. I am in a situation where I'll prefer to work on my own than to bother IT with LDAP role setup and subsequent access granting to users. By having a JDBC Realm with a blacklist of users, I can easily control the access. I'll probably dig into the filter

Re: Help: auth-constraint with Tomcat 6

2009-06-24 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim, On 6/24/2009 2:59 PM, Tim Funk wrote: > If you want a black list - it would probably be easier to write a filter > [programmatic security] instead of declarative security. You can even combine declarative + programmatic and read your configurati

Re: Help: auth-constraint with Tomcat 6

2009-06-24 Thread Tim Funk
If you want a black list - it would probably be easier to write a filter [programmatic security] instead of declarative security. [At a minimum, everyone would still need to be authenticated - its the authorization which is done via the filter (actually the filter will defer to the realm so the

RE: Help: auth-constraint with Tomcat 6

2009-06-24 Thread Martin Gainty
Jun 2009 23:12:35 +0800 > Subject: Re: Help: auth-constraint with Tomcat 6 > From: ehch...@gmail.com > To: users@tomcat.apache.org > > Hi Tim, > > Basically the first realm contains list of users we want to deny access. The > password would be dynamic, making it difficult

Re: Help: auth-constraint with Tomcat 6

2009-06-24 Thread Clement Chong
Hi Tim, Basically the first realm contains list of users we want to deny access. The password would be dynamic, making it difficult to get through. Well, maybe I should really consider working with specific roles. That is, grant users with roles that would allow them access. Then I would probably

Re: Help: auth-constraint with Tomcat 6

2009-06-24 Thread Tim Funk
Do you really want to have allow different passwords for the same user id? Sounds dangerous. For different access control restrictions you needs to set up various roles, which are names chosen by you. Which can be something like - reader, writer - admin, superuser, user - it, sales, marketing,

Help: auth-constraint with Tomcat 6

2009-06-23 Thread Clement Chong
Hi tomcat users, I am using Tomcat 6.0.20 and have successfully implemented a lockout realm with nested JDBCRealm and JNDIRealm. The security constraint has also been setup in my application WEB-INF/web.xml file: * User is now authenticated via JDBCRealm followed by JNDIRealm and

Help: auth-constraint with Tomcat 6

2009-06-23 Thread Clement Chong
Hi tomcat users, I am using Tomcat 6.0.20 and have successfully implemented a lockout realm with nested JDBCRealm and JNDIRealm. The security constraint has also been setup in my application WEB-INF/web.xml file: * User is now authenticated via JDBCRealm followed by JNDIRealm and