zhongliang zhang wrote: >> But the application allows creating new group,how do I solve this problem?> >> > What problem? You need to say what the problem is if we are going to be> >> able to help.
web.xml doesn't support the dynamic addition of new groups. Further, the Realm doesn't understand the concept of hierarchical groups. > Only the member of group "administrators" have access to the adminitrative > page,and other groups,like "groupA","groupB",... the member of which only > have rights to login to the common page.so in the web.xml,I configure like > the following: > <security-constraint> <web-resource-collection> > <web-resource-name>all</web-resource-name> > <url-pattern>/admin</url-pattern> </web-resource-collection> > <auth-constraint> <role-name>Administrators</role-name> > </auth-constraint> </security-constraint> <security-constraint> > <web-resource-collection> <web-resource-name>all</web-resource-name> > <url-pattern>/common</url-pattern> </web-resource-collection> > <auth-constraint> <role-name>??????</role-name> </auth-constraint> > </security-constraint> > <login-config> <auth-method>DIGEST</auth-method> > <realm-name>JDBCRealm</realm-name> </login-config> > > How should I configure the "??????" part? and further more,It has a inherency > relationship between groups, If "Administrators" group contains "groupA",then > the members of "groupA" have the administrative privilege,too. That means a > group's member can be either a group or a user.In the former situation,It > does a tree-search to check whether a user belongs to the "Administrators" > group,now,if I use a configuration file,how did I do this check? There is, however, a way around this. It should be OK for small (few thousand groups and users) but it might not scale very well. The SQL below is non-optimal but it should give you the idea. Use <role-name>Non-Administrators</role-name> for the common area. You'll need to modify your server-side SQL some. Again, I don't have an Oracle instance to test with so I am going from memory / Google. The syntax may not be quite right. This assumes that your groupids are never the same as your userids. CREATE or REPLACE VIEW vAdminGroups AS SELECT groupid FROM grouptable START WITH groupname='Administrators' CONNECT BY PRIOR userid=groupid; CREATE or REPLACE VIEW vAdminUsers AS SELECT u.userid as userid, username, 'Administrators' as groupname FROM usertable u, vAdminGroups g WHERE u.userid = g.userid; CREATE or REPLACE VIEW vNonAdminUsers AS SELECT username, 'NonAdministrators' as groupname FROM usertable WHERE userid NOT IN (SELECT userid from vAdminUsers); CREATE or REPLACE VIEW vUserRole AS SELECT * FROM vAdminUsers UNION SELECT * FROM vNonAdminUsers; Hope this helps. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
