Thank you, Mark. I was actually aware of how to do it using the web.xml. I was looking for a valve that could do the same thing, and here is the reason:
If I, as the Tomcat admin, want to manage access permissions (authorization) I can use the /tomcat/conf/web.xml file. However, this file is overridden by matching elements in an individual WAR. So If I say on the tomcat web.xml that only Bill and Ted have access to path A, but an individual WAR's web.xml says that Everyone has access to Path A, then the WAR web.xml wins, right? If I use a valve I can short-circuit the process before it even gets to the web application. In that way, no matter what the developers put into the WAR I have multiple control from Tomcat. Make sense? On Tue, Mar 3, 2020 at 7:04 AM Mark Thomas <ma...@apache.org> wrote: > On 03/03/2020 12:27, Richard Monson-Haefel wrote: > > I've tried to find this but keep running into the three remote address > > valves (address, IP, and CIDR) what I'm looking for is an access valve > that > > uses roles from a realm that checks roles to either path or web > application > > identifiers - not remote address. This is classic authorization - > > role-based authorization. > > Servlet specification, version 4, section 13.2 & 13.8 in particular. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Richard Monson-Haefel https://twitter.com/rmonson https://www.linkedin.com/in/monsonhaefel/
