tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johan Peeters <>
Subject Re: authentication - JDBC Realm
Date Thu, 07 Sep 2000 01:29:33 GMT

"Craig R. McClanahan" wrote:

> Johan Peeters wrote:
> > Hi,
> >
> > In the servlet spec, it is stated that a security role can be mapped to
> > a user group or to a principal. Am I right in thinking that only the
> > latter is supported in the JDBC Realm implementation?
> No.  Even with the default memory realm (i.e. the contents of the
> "$TOMCAT_HOME/conf/tomcat-users.xml" file), you can think of a group as "all
> principals who have been assigned the same role name".  If there is only one
> such user, then you have just mapped a security role to an individual
> principal.

Hmmm, so basically, the term 'user group' in the spec should be interpreted as
simply indicating that there can be many users to a role?
We envisaged user groups as a separate entity (class/table/...), allowing to
pre-configure access rights for groups of users, i.e. before individual users
are registered. The following steps would be taken:
1. a superuser defines one or more groups
2. the superuser grants access rights to particular web resources (roles) to
each group
3. the superuser registers individual users as part of a group.
The advantage of this in an application with many roles will be obvious.
But, if I understand Craig correctly, it is not the spec's intention to support
this group notion. Sorry to press this point, but I do not want to embark on
developing a home-grown scheme if there are standard ways of doing this.

> For instance, the example application included with Tomcat includes a
> container-managed security area at:
>     http://localhost:8080/examples/jsp/security/protected
> to which access is granted to anyone who has either the "tomcat" or "role1"
> roles assigned to them.  You can have as many individual users as you want
> mapped to either of those roles.  If you assign a role to one and only one
> user, then you have in essence enabled mapping security roles to individual
> users.
> Many Linux distros do something very much like this in their user
> administration -- by default, a unique group is created for each new user.
> > If so, does anyone
> > have any suggestions of how to support the former mapping elegantly?
> > Incidentally, given the definitions in the servlet spec 2.2, would it
> > not have been more correct to talk about the 'JDBC Security Technology
> > Domain' (yuk ;-) rather than a 'JDBC Realm' (== Security Policy Domain)?
> >
> As the specs points out, "realm" is a term that is also used to refer to
> this concept -- and "realm" is a whole lot easier to type :-).

Sure. It's the distinction between the technology and the policy domain I am
referring to. The latter is synonymous to realm, not the former. Not important.

> >
> > Thanks for any clarifications,
> >
> > Yo
> >
> Craig McClanahan
> ====================
> See you at ApacheCon Europe <>!
> Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
> Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
>                                     Applications to Tomcat

Johan Peeters
Software Architect - Net Commerce
Alcatel - Gen. De Wittelaan 11 A bus 1 - 2800 Mechelen - Belgium
Phone: +32 15 29 3427 Fax: +32 3 240 4800

View raw message