Where to specify the authorization In JAAS, the authorization is specified in granting entries in the policy file, and it is implemented by java.security.ProtectionDomain. A granting entry grants rights to sourcecodes or principals/usernames. The action of authorization is done by java.lang.SecurityManager.
In tomcat, the authorization is specified in web-resource-collection & user-data-constraint elements in web-app (web.xml), and it is implemented by SecurityConstraint. (This is the Realm should be. At present, the Realm mixup usermanagement, authorization, authentication). In web.xml, the security-constraint element authorizes rights to roles. The action of authorization is done by Realm (hasResourcePermission, hasUserDataPermission. I suggest to let Realm continue to act as a securityManager since we have SecurityContraint act as Realm already. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
