tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: user's roles verification
Date Mon, 12 Aug 2002 21:55:14 GMT

On 12 Aug 2002, Alexander Wallace wrote:

> Date: 12 Aug 2002 15:43:58 +0100
> From: Alexander Wallace <>
> Reply-To: Tomcat Users List <>
> To: Tomcat Users List <>
> Subject: user's roles verification
> I've got (i think) Realms working. I need some advice for good
> practices...
> My original idea (before hearing about realms and such) was to direct
> all requests for any resource of my webapp to a servlet that would
> verify user roles.
> Then I was told here that i would run into a lot of problems if I did
> that. And was recomended to check filters and that realms are for this
> purpose.
> Here is my main question: Using realms, should each jsp verify the role
> of the user trying to access it? Or is there a more elegant way to do
> it, to keep code in jsp minimum and centralize that task?
> The verification will have to happen for each one of the pages in my web
> app..
> Thank you in advance!

Using Filters would be for if you want your app to do its own checking.

Using Realms (as provided by Tomcat) implies that you are defining a
<security-constraint> in your web application that says, in essence, "in
order to access the following URLs, the user must be authenticated *and*
possess one of the following roles".  If you are using this approach, your
app doesn't have to do a thing (other than define the security constraint
element in web.xml) -- the container does all the work for you.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message