Johnny Kewl wrote:
----- Original Message ----- From: "Lyallex" <[EMAIL PROTECTED]>
Allowing a user to add a role is simple enough.
Is it?
Yes.
I'm not so sure.... when does Tomcat load up the tomcat-users.xml?
When it starts, for every servlet start up... I'm not sure?
At Tomcat start-up.
ie if you change it, when does TC recognize it... I wonder?
If you change the file you'll need to re-start. But...
Then how are you controlling access to "resources" pages... a
<security-constraint> right?
Once you add a new role, you have to tell tomcat that, that role can
access that page...
So again the same question, TC probably only loads that
<security-constraint> when the servlet starts, and if its changed on the
fly, TC will restart.
If you change web.xml, yes TC will restart. However, you probably know the
roles you want and the resources you want to protect, just not which users
have which roles.
If the security contraint is not there, it wont prompt the user to log
on...
Anyway thing about that, I think the idea of changing tomcat-users.xml
This is easy - look at the admin webapp for TC5.5.x
and <security-constraint> on the fly may be flawed.
This is should be doable. I haven't looked at the code.
The problem comes when a superuser wants to remove a role from a user
and that user may be logged in.
Look at how the manager webapp access the list of sessions. You should be
able to use similar code. Note you'll need to make your webapp privileged.
You might want a separate admin webapp.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
