Are you talking about the tomcat-users.xml file and the roles defined in
there?
The security-contraints are pretty flexible and you can use any number of
ways to define your realms. If you look at the web.xml for the manager
application (that is shipped with Tomcat), you can see how that realm is
defined and used. You can even use encrypting on the passwords in that
file. If you don't mind maintaing that file for roles and users, then just
modify it to fit your needs and change your security contraint for your web
application to match those roles. Below is a quick example. If you are
wanting something for flexible, then you can research and use your favorite
database for authentication or even your favorite LDAP. Below is a quick
example of how to use a user-defined role in the tomcat-users.xml file and
how to match it to two different URLS in one web app.
Please understand, this is just a quick example and I do not dare declare
that this will work. Just a springboard to help you get your feet wet.
tomcat-users.xml:
<tomcat-users>
<role rolename="role1"/>
<role rolename="role2"/>
<user username="user1" password="userpass1" roles="role1,role2"/>
<user username="user2" password="userpass2" roles="role2"/>
</tomcat-users>
application's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrict to role1 and role2/>
<url-pattern>/welcome.jsp</url-pattern>
</web-resource-collection>
<auth-contraint>
<role-name>role1</role-name>
<role-name>role2</role-name>
</auth-contraint>
</security-contraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrict to role2 only/>
<url-pattern>/other.jsp</url-pattern>
</web-resource-collection>
<auth-contraint>
<role-name>role2</role-name>
</auth-contraint>
</security-contraint>
<security-role>
<description>some descr</description>
<role-name>role1</role-name>
<role-name>role2</role-name>
</security-role>
On 8/17/06, Propes, Barry L <[EMAIL PROTECTED]> wrote:
to add to my question earlier below, would it be something as simple as?
String juser= (String) request.getAttribute("j_username");
Granted I have no idea what the session attribute is under the hood, only
know that j_username is the input name for the user_name.
I was thinking with that info, I could then run a select query to extract
the role_name from an additional joined table to authenticate a step
further. Does what I am explaining make sense? Forgive me if not.
When I say additional table, I mean one in addition to the user_name and
user_roles table that Tomcat requires for the form login security constraint
to work.
-----Original Message-----
From: Propes, Barry L
Sent: Thursday, August 17, 2006 11:13 AM
To: Tomcat Users List
Subject: Security constraint/login form
I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a
version on a prod. server and one ony my desktop) that you can create the
simple table titled users and configure it in the server.xml file and then
likewise configure the web.xml file's security constraint properties.
My question is, can you add other columns to the table and then do a join
on another table as to further enhance security?
If so, what is involved, and how involved is it?
Thanks!
Barry
---------------------------------------------------------------------
To start a new topic, e-mail: [email protected]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Marc Farrow
