oh, ok. I'd say your solution's pretty plausible.
I've just now had to retool my users table a bit adding a timestamp for
auth purposes, too.
I've just got the one extra table that allows people to be in multiple
categories, yet confined to the one role in the users_role table.
-----Original Message-----
From: Ryan [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 22, 2007 2:39 PM
To: Tomcat Users List
Subject: Re: requiring multiple roles for access
Barry,
This is a good implementation, and yes, it does make sense. I did go with
a
different implementation, though, essentially I created a new table that
stores the users previous roles and timestamp them when the user is
disabled. When they are re-enabled, I just put the role data back into the
roles table so there's no change in their previous access. This way, the
JSP
developers don't have to think about it, it just happens in the
background.
It's probably not the best implementation, but it'll do ;-).
By the way, I've given up on the role combo login, I was just hoping when
I
wrote that one.
Thanks,
Ryan
On 3/22/07, Propes, Barry L [GCG-NAOT] <[EMAIL PROTECTED]>
wrote:
>
> Hey Ryan,
>
> I didn't end up catching it, only because the people getting the email
> that would log in to the "voting section," it doesn't come into play for
> them.
>
> In other words, if they get the email, they're already in the DB as a
user
> and have the necessary role.
>
>
> If I was going to catch it, I'd need to catch it in this JSP, the way I
> wrote it. The architecture I used on this one file was not ideal, as I
have
> three select query statements residing within it.
>
> What I could stand to do, and would do, is catch it in the JSP, but
> probably by the declared string variable I have, called jrole.
>
> jrole in this case is the one of admin, service, legal, risk, etc.
>
> So if they're not one of four roles, I need to throw in a catch block
for
> the SQL Exception there, otherwise I'd get an exhausted results set
error,
> or invalid cursor state, if it can't find the matching role.
>
> Does this make sense? Or help you any? Sorry if it wasn't of more help.
>
> Let me know. And let me know moreso the way your site/app is structured;
> for example, who needs to go to a protected area, what roles, etc.
>
> I don't think you can make it have a dual/double login layer. Wouldn't
> make too much sense anyway as they'd have to use the same combo and that
> would defeat the session purpose anyway.
>
> -----Original Message-----
> From: Ryan [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 22, 2007 9:35 AM
> To: Tomcat Users List
> Subject: Re: requiring multiple roles for access
>
>
> Barry,
>
> Regarding your method below, do you catch this method in JSP or
somewhere
> else?
>
> Thanks,
> Ryan
>
>
> On 3/21/07, Propes, Barry L [GCG-NAOT] <[EMAIL PROTECTED]>
> wrote:
> >
> > I don't know about disabling users, as I haven't tried something like
> > that, and there may be ways of tiering the access in regards to roles,
> which
> > I technically haven't tried either.
> >
> > But what I have is a group of people who absolutely have to access one
> > portion, and then some "admins" who have to access another. But for
> reasons
> > you can probably imagine, I certainly don't want it wide open to
anyone
> with
> > an account. So I've got it gated as such in this manner.
> > Does this make sense? Another thing I did was run separate select
> queries
> > from the users and "approvers" table, one I created and linked
together
> by a
> > unique ID. If someone contained one role, they could access this
> section. If
> > not, in another case, an exception is thrown, which I didn't catch
> properly
> > right away, but it doesn't let that user into the section.
> >
> > Let me know if you need more insight into it.
> >
> > Good luck with it Ryan!
> >
> > -----Original Message-----
> > From: Ryan [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, March 21, 2007 2:22 PM
> > To: Tomcat Users List
> > Subject: Re: requiring multiple roles for access
> >
> >
> > Barry,
> >
> > I'm looking for a way to disable the user by taking them out of one
> role,
> > but leaving them in the roles they were in before they were disabled
> (for
> > informational purposes). I didn't think it would be possible, but I
> wanted
> > to throw it out there in case I missed something. What you are
> suggesting
> > may also be suitable.
> >
> > Thanks,
> > Ryan
> >
> >
> > On 3/21/07, Propes, Barry L [GCG-NAOT] <[EMAIL PROTECTED]>
> > wrote:
> > >
> > > I know you can assign different roles to an app, and to a user, and
> make
> > > that user need one role to get to one part and an additional role to
> > access
> > > a separate part of the app, but the entire app? Not sure about that.
> > >
> > > I've got people in my users table that have to have multiple roles
for
> > > several tasks within my app. If they only have one role, they're
able
> to
> > do
> > > a certain part of the app, but not all of it. Is this what you're
> trying
> > to
> > > accomplish?
> > >
> > > -----Original Message-----
> > > From: Ryan [mailto:[EMAIL PROTECTED]
> > > Sent: Wednesday, March 21, 2007 8:39 AM
> > > To: users@tomcat.apache.org
> > > Subject: requiring multiple roles for access
> > >
> > >
> > > Hi All,
> > >
> > > I would like to require a user to belong to two roles to access a
> > certain
> > > application (i.e. user must belong to role1 AND role2 to access).
I've
> > > tried
> > > the following in my web.xml....
> > > <auth-constraint>
> > > <role-name>role1</role-name>
> > > <role-name>role2</role-name>
> > > </auth-constraint>
> > >
> > > Unfortunately, this doesn't seem to work (it seems to allow role1 OR
> > > role2).
> > > Is what I'm trying to do possible??
> > >
> > > Thanks,
> > > Ryan
> > >
> > >
---------------------------------------------------------------------
> > > To start a new topic, e-mail: users@tomcat.apache.org
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> >
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
