----- Original Message -----
From: "Lyallex" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, June 19, 2008 9:30 AM
Subject: Changing roles on the fly
Hello
Tomcat 5.5.26
Java 1.5.0_15-b04
This question is about role based security and the dynamic
assignment/removal of roles.
I have a requirement to allow an user to add or remove certain roles
'on the fly'
Allowing a user to add a role is simple enough.
Is it? I'm not so sure.... when does Tomcat load up the tomcat-users.xml?
When it starts, for every servlet start up... I'm not sure?
ie if you change it, when does TC recognize it... I wonder?
Then how are you controlling access to "resources" pages... a
<security-constraint> right?
Once you add a new role, you have to tell tomcat that, that role can access
that page...
So again the same question, TC probably only loads that
<security-constraint> when the servlet starts, and if its changed on the
fly, TC will restart.
If the security contraint is not there, it wont prompt the user to log on...
Anyway thing about that, I think the idea of changing tomcat-users.xml and
<security-constraint> on the fly may be flawed.
Once they have 'clicked the button' to add a role (and thereby add a
certain set of role defined features) I simply force them to log back
in again.
Similarly, when a user removes a role I again force them to log in and
they then no longer have those role based features associated.
The problem comes when a superuser wants to remove a role from a user
and that user may be logged in.
What I need to be able to do is to view all the currently active
sessions and log the relevant user out (by invalidating the session
for example) so that when they next try to access a protected resource
they have to log in again ... I can't give any more details I'm
afraid.
I think I may be able to do this by allowing a superuser account to
access this information using JMX (mbeans) and do appropriate stuff.
This is a sanity check with the experts on this list as I have never
used JMX before and I would like to know if I am pointing in the right
direction.
Is this something I could do via JMX or is there something else I
should be looking at.
I think JMX will be mega work, it sounds like building a JMX client, and
ouch, I think that could be pain...
And then even if you could add a role to a page, I wonder what TC is going
to do, ie part of the JMX setting may have to be reloading the servlet.
Maybe?
Interesting question... my initial thought is this.
I'd use TC for "main" categories or roles.... ie "AdminDudes that can set up
*my* Roles"
and "NormalUsersThatUsePages" ie all users log into the same TC role.
Then you make your own SubRoles... in external "not" TC tables, xml, dB,
whatever you want.
And make your own permission tables
ie
User : Role1,Roles,Role3
Role1 : Uri1,Uri2,Uri3
So users all come in on the TC "NormalUsersThatUsePages" role, and then you
accept or reject... using your logic.
In this scheme the user doesnt have to be logged out, they just get told
they havnt paid enough to access that page.
You may find you dont want to kill there cookie, because its remembering
stuff they doing else where...
I have a feeling that if you mess with TC's setting on the fly... its not
going to work.
Maybe ;)
Good luck ;)
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
