tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cédric Couralet <cedric.coura...@gmail.com>
Subject Re: Dynamic auth-constraint in web.xml ?
Date Fri, 03 May 2013 12:17:49 GMT
2013/5/3 Christopher Schultz <chris@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Cédric,
>
> On 5/3/13 3:09 AM, Cédric Couralet wrote:
>> More of a servlet spec question than a tomcat one, and, from what
>> I read, a rather long shot, but is there a way to define
>> auth-constraint dynamically in web.xml?
>>
>> For instance I'd like to have the following
>>
>> <security-constraint> <display-name></display-name>
>> <web-resource-collection> <web-resource-name></web-resource-name>
>> <url-pattern>/something/(.*)/someotherthing</url-pattern>
>> <http-method>PUT</http-method> <http-method>POST</http-method>
>> <http-method>DELETE</http-method> </web-resource-collection>
>> <auth-constraint> <role-name>\1_something</role-name>
>> </auth-constraint> </security-constraint> <security-role>
>> <role-name>*_something</role-name> </security-role>
>>
>> with \1 being the (.*) in url-pattern ?
>
> Nope. You'll have to resort to using a Filter.
>

Yes, that is what I thought.


>> I know I can do it programmatically with something like
>> request.isUserInRole(). But I would like to define all  the webapp
>> security in another place than in code (if only not to forget
>> anything :) ).
>
> If you wanted things to be a bit more explicit in web.xml, you could
> write a Filter that checks for a *specific* user role, and then
> configure it all in web.xml.
>

This is a good idea, I'll try and see where it goes.

Thank you

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message