It really depends on what you're trying to achieve, maybe you could elaborate?
Do you need to restrict access to filesystem resources, servlets, jsps, images, DB content, or something else? Martin Gainty wrote: > Good Evening All- > > The best way is to put up a Jsp / servlet which itself has the > username/password information to let you behind the firewall > There are a ton of https and firewalls you can install and configure to > your hearts content > But none would be more secure and safe than controlling authentication > (a simple username/password) via the servlet > Remember to tell .htaccces to disallow execute write and pretty much > read permissions on everything except for your username/password screen I'm not sure introducing firewalls is any of any help inside a servlet. Nor really, is .htaccess given that he hasn't specified that he's using Apache. > Martin -- > > This email message and any files transmitted with it contain confidential > information intended only for the person(s) to whom this email message is > addressed. If you have received this email message in error, please notify > the sender immediately by telephone or email and destroy the original > message without making a copy. Thank you. > > ----- Original Message ----- From: "John Caron" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <users@tomcat.apache.org> > Sent: Tuesday, June 27, 2006 9:01 PM > Subject: Programmatic Security > > >> I need to implement fine-grained security access, so it looks to me >> like "Programmatic Security" (Servlet spec 12.3) is called for. I want >> to recieve the request in my servlet, then decide what access rights >> are needed for it. >> >> In this case, if I understand correctly, the "user must already be >> authenticated" means that they have tried to access a Tomcat-protected >> page (eg a login page), have been successfully authenticated by >> Tomcat, and further requests are returning the JSESSION cookie that >> was assigned during authentication. >> >> Is that right? Is there some other way the req.getRemoteUser() could >> return non-null? >> >> Is there some way that I can programatically trigger Tomcat to >> initiate the authentication process? >> Thanks for any help... >> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
