tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Limits on the size of the web.xml file?
Date Mon, 03 Sep 2001 19:21:17 GMT

On Mon, 3 Sep 2001, Roland wrote:

> Date: Mon, 3 Sep 2001 16:19:48 -0300
> From: Roland <>
> Reply-To:
> To:
> Subject: Re: Limits on the size of the web.xml file?
> > Sounds like a redesign is more appropriate.
> >
> > Memory issues aside, have you considered the fact that using individual
> > security constraints for each and every user means that you have to
> > restart the entire app every time you add a new user?  Or, that every time
> > you add a user and restart, the restart time gets longer and longer?
> Thats a problem!
> > Use application specific logic to ensure that a particular user can only
> > see things that are relevant to them (i.e.  their own mailbox in a
> > WebMail scenario).
> That was my original design idea. BUT, in this case I don't know how to
> prevent someone to see the data from other users. How can I stop someone
> from trying to access the mail from someone else? Supposing that all
> "standard" users will have the same role, the security will allow him to see
> all directories.

The details *vastly* depend on how your app is put together, but it isn't
all that complicated to figure out.

Consider that you might have the mailboxes for a particular user defined
in a database table called "mailboxes", with columns "username" and
"mailboxname".  It would be easy to construct an SQL statement like this:

  select mailboxname from mailboxes
    where username = xxx

and replace xxx by the value returned from request.getRemoteUser().  This
would allow the user access *only* to his or her own mailboxes.

I'm assuming that you are *not* allowing users to upload their own
servlets or JSP pages, so they can only access what your app allows.  If
this is not true, all bets are off (and I wouldn't ever trust your server
with my mail messages anyway :-).

> A question besides here, using JDBC realms is it possible to assign mutliple
> roles to one user? How do I do it? Do I have to put several entries in the
> user_roles table? One line for each role of the user?

Yep.  A user can have as many roles as you want to assign them.

> Thanks in advance...

View raw message