Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 71700 invoked from network); 10 Jan 2003 13:57:13 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 10 Jan 2003 13:57:13 -0000 Received: (qmail 28086 invoked by uid 97); 10 Jan 2003 13:58:25 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 28067 invoked by uid 97); 10 Jan 2003 13:58:24 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 28055 invoked by uid 98); 10 Jan 2003 13:58:23 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Message-ID: <3E1ED16D.50906@apache.org> Date: Fri, 10 Jan 2003 08:58:05 -0500 From: Jeanfrancois Arcand User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Proposal: CanAccessLink(..) test References: <3E2B3803@mail.totalise.co.uk> In-Reply-To: <3E2B3803@mail.totalise.co.uk> Content-Type: multipart/alternative; boundary="------------060804000700070602050305" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N --------------060804000700070602050305 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi Marki, see inline Mark Harwood wrote: >Its cool having authorisation restrictions enforced when accessing a page but >it would also be useful to query these restrictions when choosing to offer a >link in other pages. > >I have an implementation which offers this query capability based on a hack of >Tomcat authorisation code. The method signature is: > >boolean canIAccess(String url, String method, HttpServletRequest >currentRequest, ServletContext context) > > >Is this sort of thing worth rolling into Tomcat somewhere? Without such a >feature you effectively end up declaring security restrictions twice - once in >web.xml declarations and once in pages that choose to offer links to these >secured pages. > -1 for portable reason. The security mechanism will not work the same way if I define my web app using Tomcat and then moving it under another Servlet container. Some user may think their application are secure under Tomcat, and then move it to another container (security issue). If you think that every Servlet container should support your method, you can submit your proposal to jsr-154-comments@jcp.org If other tomcat-dev are interested to your proposal, at least make that behaviour optional and turned off by default :-) -- Jeanfrancois > >Cheers >Mark Harwood > > >-- >To unsubscribe, e-mail: >For additional commands, e-mail: > > > > --------------060804000700070602050305--