Hi Tim,
Good suggestion! I'll look into it. I am in a situation where I'll prefer to
work on my own than to bother IT with LDAP role setup and subsequent access
granting to users. By having a JDBC Realm with a blacklist of users, I can
easily control the access.
I'll probably dig into the filter but I don't know java.. Any sample working
code with comments to modify would be great!
Thanks,
Clement
On Thu, Jun 25, 2009 at 2:59 AM, Tim Funk <funk...@apache.org> wrote:
> If you want a black list - it would probably be easier to write a filter
> [programmatic security] instead of declarative security. [At a minimum,
> everyone would still need to be authenticated - its the authorization which
> is done via the filter (actually the filter will defer to the realm so there
> isn't much extra work)]
>
> Ex:
> doFilter(req, resp, chain) {
> if (req.isUserInRole("blacklist")) {
> response.sendError(403);
> return;
> }
> chain.doFilter(...);
> }
>
>
>
> -Tim
>
>
> Clement Chong wrote:
>
>> Hi Tim,
>>
>> Basically the first realm contains list of users we want to deny access.
>> The
>> password would be dynamic, making it difficult to get through. Well, maybe
>> I
>> should really consider working with specific roles. That is, grant users
>> with roles that would allow them access. Then I would probably just need a
>> single realm for authentication.
>>
>> However, this would mean almost all users require such a role granted
>> except
>> for some whom we like deny access. Then every new users would also
>> probably
>> need granted the role. A little extra work there, besides working with IT
>> to
>> get the new role setup.. A black list would work better than a white list
>> in
>> this case.
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
