tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cox, Charlie" <c...@cincom.com>
Subject RE: Authentication and Filters
Date Fri, 10 Jan 2003 14:47:59 GMT
it currently does not allow this. Apparently this ability will be added to
the servlet spec 2.4 which would then be implemented in tomcat 5.x

Charlie

> -----Original Message-----
> From: Jacob Hookom [mailto:hookomjj@uwec.edu]
> Sent: Friday, January 10, 2003 9:37 AM
> To: 'Tomcat Users List'
> Subject: RE: Authentication and Filters
> 
> 
> Authentication aside, does the servlet container work such that an
> include or RD operation has the option of passing through the filter?
> If so, as of which release?
> 
> Best Regards,
> Jacob
> 
> | -----Original Message-----
> | From: Tim Funk [mailto:funkman@joedog.org]
> | Sent: Friday, January 10, 2003 6:30 AM
> | To: Tomcat Users List
> | Subject: Re: Authentication and Filters
> | 
> | I meant 2.5 since changes to 2.4 are closed from my position in the
> dev
> | community.
> | 
> | My point is only the incoming request is protected by the security
> | constraint in web.xml. It may be nice to allow the 
> programmer to also
> | check future dispatches for authorization before the 
> dispatch occurs.
> | 
> | RequestDispatcher.isAuthorized() was to allow an admin to define
> | additional security contraints in web.xml without writing code. This
> | also requires the cooperation of the developer of a webapp to check
> for
> | this condition too.
> | 
> | Sorry for starting to take this off-topic.
> | 
> | -Tim
> | 
> | Craig R. McClanahan wrote:
> | >
> | > On Thu, 9 Jan 2003, Tim Funk wrote:
> | >
> | >
> | >>Date: Thu, 09 Jan 2003 21:15:12 -0500
> | >>From: Tim Funk <funkman@joedog.org>
> | >>Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> | >>To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> | >>Subject: Re: Authentication and Filters
> | >>
> | >>Is there a chance (or worthwhile) that in Servlet API 2.5 a
> developer
> | >>could check if an obtained RequestDispatcher would violate a
> security
> | >>constraint in web.xml?
> | >>
> | >
> | >
> | > I assume you mean Servlet 2.4, right?
> | >
> | >
> | >>For example the following new method:
> | >>RequestDispatcher.isAuthorized()
> | >>Returns true if the RequestDispatcher's url passes the constraints
> | >>defined in web.xml
> | >
> | >
> | > This does not seem likely to me.  Nor does it seem 
> necessary.  After
> | all,
> | > your application has available everything it needs to 
> know (through
> | calls
> | > like request.getUserPrincipal() and 
> request.isUserInRole()) to make
> this
> | > decision for itself.  If the app chooses to forward, the container
> is
> | > going to assume that it knows what it is doing.
> | >
> | > Now that you can declare a Filter to be imposed on RD calls in
> Servlet
> | > 2.4, that might be a good place to implement a check like this.
> | >
> | >
> | >>-Tim
> | >>
> | >
> | >
> | > Craig
> | >
> | 
> | 
> | --
> | To unsubscribe, e-mail:   <mailto:tomcat-user-
> | unsubscribe@jakarta.apache.org>
> | For additional commands, e-mail: <mailto:tomcat-user-
> | help@jakarta.apache.org>
> 
> 
> --
> To unsubscribe, e-mail:   
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message