tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [POLL] Finer-grained "manager" user-access privileges?
Date Sun, 10 Jun 2012 14:52:47 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konstantin,

On 6/8/12 7:06 AM, Konstantin Kolinko wrote:
> Specifically I do not like hard-coding role names into code. I
> think there could be some helper component that could help in
> access checks. (To be discussed separately). It will need some
> model to map access checks to roles.

I was thinking that we would just define the roles and apply them to
to URLs that perform those actions. For example, "manager-gui-deploy"
would be able to invoke

  /manager/html/deploy

The same would be true for the other operations.

> What should we do with "list applications" page? Should it filter 
> itself and hide unaccessible actions? I think that is what will be 
> asked next.

That's a good question, and you're right: we'd need to perform
access-checks in the page which is ugly, though a fairly standard
practice in many web applications. The good news is that we don't
support 500 operations so fully-supporting them all shouldn't be too
bad if we wanted to hide unavailable options.

Isn't there already this problem with the "status" role versus all of
the roles that can actually do things like deploy, etc.?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/UtL8ACgkQ9CaO5/Lv0PA1PACfcIw/JWgR6y1jSdp2gtSoZk57
LZAAn1gwwGK2iN16GHFDx0EbMgFwDmmf
=3M9+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message