tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat Security
Date Sat, 28 Oct 2006 20:57:18 GMT
Chuck,

Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net] 
>> Subject: Re: Tomcat Security
>>
>> Since each image could have different authorization settings, 
>> you can't just use the servlet container's built-in authorization
>> (set up in web.xml). You will have to enforce this yourself.
> 
> Not sure that's necessarily true.  If the URI used to request the image
> used paths segregated by accessibility, I think most of the access
> checks could be handled by the appropriate declarative security
> constraints.

Well, he did say that the user can choose arbitrarily what the
authorization rules were. I would imagine that includes changing it on
the fly. Changing the URL on the fly based upon the authorization rules
would be very awkward. It was also unclear if the "passworded" images
meant that a user must login and be recognized, or there is a specific
password on each image. The latter would prohibit web.xml-based
authorization.

-chris


Mime
View raw message