tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Koberg <...@koberg.com>
Subject Re: Authentication without Authorization ( JNDI Realm )
Date Thu, 03 Dec 2009 03:16:24 GMT

On Dec 2, 2009, at 6:01 PM, Christopher Schultz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Chuck,
> 
> On 12/2/2009 5:15 PM, Caldarale, Charles R wrote:
>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>> Subject: Re: Authentication without Authorization ( JNDI Realm )
>>> 
>>> Technically speaking, this will require authentication but then let
>>> anyone holding any role defined in web.xml to access any page on your
>>> site.
>> 
>> But the valid roles still have to be listed in web.xml to be compliant with the spec.
> 
> Yes. That's why I said "technically" and "practically".
> 
>>> Practically speaking, you don't even need to define the roles in
>>> web.xml because (last time I checked), Tomcat treats '*' as
>>> "authenticated, regardless of roles".
>> 
>> That was a bug, now fixed:
>> http://marc.info/?l=tomcat-user&m=123568422715010&w=2
> 
> I'll have to look elsewhere in the code, then. What I saw in
> GenericPrincipal clearly takes, ahem, liberties with the spec.

(don't know if this has been mentioned)

There is the @PermitAll (and @DenyAll, @RolesAllowed) annotations. It requires a servlet 3.0
container or some framework that allows it (I like Jersey).

best,
-Rob


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message