tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Assaf Arkin <>
Subject Re: [LONG TERM PLAN] Proposed Architecture for Tomcat.Next Servlet Container
Date Thu, 30 Dec 1999 23:32:28 GMT
> How does an application developer implement a custom security scheme that
> protects static as well as dynamic content? It can't be done with the
> current (2.2) servlet API.
> It seems to me that the concept of a request/response Interceptor that
> operates at the level of a web application would be useful for application
> developers.

Here comes that confusion :-)

If you are talking about system security, as we've illustrated so far,
then you don't want to implement that in a Servlet. It's very
OS/configuration depedent, it's not generic code, and it doesn't live
well inside a container.

If you are talking about application level security (e.g. which user has
access to what documents), you want to implement that only inside
Servlets. Assuming some interceptor can authenticate the user and give
you the role list, you have all the mechanisms for that in Servlet.

As for your question how to make it work with static files, very simple:
a Servlet that hands over static files. This is exactly how Tomcat
serves static files today (sans the security) and has the same overhead
and complexity as using an Interceptor. Better still, it's portable to
non-Tomcat servers and environments where your interceptor might not


> Vince Bonfanti
> New Atlanta Communications, LLC
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message