Nathan, >> One question: if you a user who needs access to both resources, why are >> they not associated with both roles? That's the general [way] to do >> authorization. > > Well... To be honest we are still in the process of developing use cases > for our user authentication. It may well be that we can make the current > Tomcat scheme work for us, once we have a clearer idea of what our users > require. In the mean time I was experimenting with Tomcat and I had > questions about the results. I want to be able to accurately represent > what we can and cannot achieve using Tomcat's existing security > arrangements.
If Tomcat's authentication and authorization do not quite meet your needs, I recommend using securityfilter (http://securityfilter.sourceforge.net) as an alternative. It has capabilities very similar to Tomcat's built-in stuff, but has more configuration options. It's also usable in other servlet containers, just in case you have to switch at some point. Also, you could set the error page that is used when a user doesn't have the proper credentials to something that gives you the opportunity to re-login in order to access the forbidden resource. When you want to log someone out of BASIC authentication, you have to send a blank "WWW-Authenticate" header to the client, just the same way that Tomcat would do if you weren't already authenticated. > Thanks so much for your helpful reply! No problem. Good luck! -chris
signature.asc
Description: OpenPGP digital signature
