David Kerber wrote:
Authentication is done in the java code, checking against the back-end database, and I'm trying to build the ACL's for a site as I read the site and user information from the db. The only thing tomcat is doing is serving up data; no authentication or access controls are set up in tomcat itself beyond whatever is there in the default installation.
I'd be tempted to forgo setting up ACLs of some flavour, in favour of using a JDBCRealm to handle authentication and basic role management.
Configure portions of your application to be available by URL path: /staff/stuff /manager/stuff /admin/stuffOnce you're in a specific (secured path) you could use the stored username/object to determine which data to display.
There isn't a standard way of doing programmatical security of this nature - the nature of it is such that you have to write it yourself.
Programmatical checks at each read/write point, using username based SQL queries if your user can be linked/related to the stock DB, it's a logical problem more than Tomcat problem I think.
p
Dave Pid wrote:David Kerber wrote:Thanks for the response, but I don't think either of these are what I need. My application involves users who need access to the inventory data for stores throughout the country, and those locations and users are all stored in a back-end database. All this is managed by java classes; tomcat and about 5 jsp's are just the front end for 260 or so java classes that do the grunt work. I need to be able to ensure that some users only have access to their own stores, while other users (regional managers, etc) can access all the stores under their jurisdiction, and system administrators can manage system settings, etc. I have those permissions set up in the database, but can't quite work out how to apply them to ACL's and ACLEntries. That's why I'm looking for a tutorial and/or sample code. The people who initially wrote this app tried, but didn't seem to get the permissions handling set up quite right, because any user who authenticates successfully has unlimited access to their stores, but some of them should only have read access, and I need to get it straightened out.How are you doing auth? (E.g. using Tomcat FORM).You'll be wanting some programmatical security then no? You'll have to write some checks for each occasion that a user needs to read or write some data I'd imagine.If you've using the built in auth stuff, then you can use the Principal to identify which roles the user has access to.if (request.isUserInRole( "system_admin" )) { // show a page, do an action, write some data. ... } else { // throw error response.sendError(HttpServletResponse.SC_UNAUTHORIZED); } pThanks, Dave Martin Gainty wrote:Good Morning Dave... I would start by referencing this link http://tomcat.apache.org/tomcat-6.0-doc/cgi-howto.html eithersetup security in %JAVA_HOME%/lib/security/java.policy and start java with security manager enabled e.g. JAVA -Djava.security.policy=java.policy %CATALINA_HOME%\bin\bootstrap.jarORread everything you can on configuring %CATALINA_HOME%/conf/catalina.policy and configure the necessary options in catalina.policy *this link should get you started*http://tomcat.apache.org/tomcat-4.1-doc/security-manager-howto.html HTH/ MartinThis email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notifythe sender immediately by telephone or email and destroy the original message without making a copy. Thank you.----- Original Message ----- From: "David Kerber" <[EMAIL PROTECTED]>To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Tuesday, May 08, 2007 10:25 AM Subject: ACL (access control list) tutorial or exampleI posted this on comp.lang.java.security yesterday, but haven't gotten a single answer, so I'm hoping you people can help:I'm trying to implement ACL's in my Tomcat-based webapp, and am having trouble applying what I read in the docs and in my googling to my real-life application. Could somebody please point me to a good tutorial or some example code that shows how to set and check the permissions (read only vs read/write, administration vs general user, etc) that a given user will have to access a given object?I've got the authentication part going with no trouble, but am having trouble with the access control side of things.TIA! Dave--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
smime.p7s
Description: S/MIME Cryptographic Signature
