tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Limits on the size of the web.xml file?
Date Mon, 03 Sep 2001 19:21:17 GMT


On Mon, 3 Sep 2001, Roland wrote:

> Date: Mon, 3 Sep 2001 16:19:48 -0300
> From: Roland <roland@netquant.com.br>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Limits on the size of the web.xml file?
>
> > Sounds like a redesign is more appropriate.
> >
> > Memory issues aside, have you considered the fact that using individual
> > security constraints for each and every user means that you have to
> > restart the entire app every time you add a new user?  Or, that every time
> > you add a user and restart, the restart time gets longer and longer?
>
> Thats a problem!
>
> > Use application specific logic to ensure that a particular user can only
> > see things that are relevant to them (i.e.  their own mailbox in a
> > WebMail scenario).
>
> That was my original design idea. BUT, in this case I don't know how to
> prevent someone to see the data from other users. How can I stop someone
> from trying to access the mail from someone else? Supposing that all
> "standard" users will have the same role, the security will allow him to see
> all directories.
>

The details *vastly* depend on how your app is put together, but it isn't
all that complicated to figure out.

Consider that you might have the mailboxes for a particular user defined
in a database table called "mailboxes", with columns "username" and
"mailboxname".  It would be easy to construct an SQL statement like this:

  select mailboxname from mailboxes
    where username = xxx

and replace xxx by the value returned from request.getRemoteUser().  This
would allow the user access *only* to his or her own mailboxes.

I'm assuming that you are *not* allowing users to upload their own
servlets or JSP pages, so they can only access what your app allows.  If
this is not true, all bets are off (and I wouldn't ever trust your server
with my mail messages anyway :-).

> A question besides here, using JDBC realms is it possible to assign mutliple
> roles to one user? How do I do it? Do I have to put several entries in the
> user_roles table? One line for each role of the user?

Yep.  A user can have as many roles as you want to assign them.

>
> Thanks in advance...
>
>
>
Craig



Mime
View raw message