tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Berglas, Anthony" <>
Subject RE: Basic Auth without web.xml <security-constraint> not working
Date Fri, 30 Mar 2007 00:09:56 GMT
Thanks for your replies, I think that the matter is settled.

> > The underlying issue is that when Role R is required for Page P then
> > *TWO* things need to happen depending on whether the user is in role
> > These are
> >
> > 1. Allow or block access to page P.
> > 2. Grey out or not grey out the menu item for page P.
> Right, I understand.

> The fact is that Tomcat will not perform authorization without also
> performing authentication.

That is the crux of the matter.  IMHO it is a bug, whether in the
implementation or the spec I don't know or really care.

The APIs take a very simplistic view of the world, and it just does not
work for me at least.  Pity, as not much more is needed.  

I could indeed scan web.xml given the inadequate API
(rolesRequiredForUrl(), rolesForUser() etc.).  (Scanning is possible but
ugly -- needs duplication of URL pattern processing).  

But I prefer not to scan web.xml because I have other information about
each form, and it would be nice to put the source of truth for the
security info in the same place.

But thanks for all the help.  I have some Tomcat hacks that work for the
time being.  Later I will look for a fuller framework, either mine or
someone else's, that is not J2EE based.  

> If you really want to hack around with authentication and
> check out securityfilter ( The
> code is portable across servlet containers, and especially across
> different versions of the same container ;)

Looks interesting.  (Link is actually, your link was to a spam site.)


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message