tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeanfrancois Arcand <>
Subject Re: Proposal: CanAccessLink(..) test
Date Fri, 10 Jan 2003 13:58:05 GMT
Hi Marki, see inline

Mark Harwood wrote:

>Its cool having authorisation restrictions enforced when accessing a page but 
>it would also be useful to query these restrictions when choosing to offer a 
>link in other pages.
>I have an implementation which offers this query capability based on a hack of 
>Tomcat authorisation code. The method signature is:
>boolean canIAccess(String url, String method, HttpServletRequest 
>currentRequest, ServletContext context)
>Is this sort of thing worth rolling into Tomcat somewhere? Without such a 
>feature you effectively end up declaring security restrictions twice - once in 
>web.xml declarations and once in pages that choose to offer links to these 
>secured pages.
-1 for portable reason. The security mechanism will not work the same 
way if I define my web app using Tomcat and then moving it under another 
Servlet container. Some user may think their application are secure 
under Tomcat, and then move it to another container (security issue).

If you think that every Servlet container should support your method, 
you can submit your proposal to 

If other tomcat-dev are interested to your proposal,  at least make that 
behaviour optional and turned off by default :-)

-- Jeanfrancois

>Mark Harwood
>To unsubscribe, e-mail:   <>
>For additional commands, e-mail: <>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message