Return-Path: 
 <users-return-198458-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 43758 invoked from network); 24 Jun 2009 15:12:59 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 24 Jun 2009 15:12:58 -0000
Received: (qmail 87831 invoked by uid 500); 24 Jun 2009 15:13:06 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 87770 invoked by uid 500); 24 Jun 2009 15:13:05 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 87759 invoked by uid 99); 24 Jun 2009 15:13:05 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Jun 2009 15:13:05 +0000
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=HTML_MESSAGE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of ehchong@gmail.com designates
 209.85.221.193 as permitted sender)
Received: from [209.85.221.193] (HELO mail-qy0-f193.google.com)
 (209.85.221.193)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Jun 2009 15:12:56 +0000
Received: by qyk31 with SMTP id 31so1014565qyk.30
        for <users@tomcat.apache.org>; Wed, 24 Jun 2009 08:12:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:content-type;
        bh=hSwEe6s2MIqhfMvbjJgrAJCwvH1kYscDjueUptCQOBg=;
        b=MfcIjH61WFnzHqBkNiqrF/ecNZDLt7ReCwa1y/c/vFjQ0K+TR0rM7ZKLukuRsqGuN8
         omlmjAP+BupS4xBa02+zBtom3USAIouUlqCTZg8YDZq0rt/0mkAWqcQShf8qQXYhUm63
         sPp5lU3oZqcLkASpUEtoSa2u8bfYFhPPAEJLs=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        b=mDJ26Hu3i3Es3n4miBzkbgMk07/3WQx8bYxCFGah32RPv+ZMYPCxmZLXLHQOdC0uXk
         qmtCTf/Whxv6xpWUOLx4FxOJGumUcyZdZmZNu5MH1u2Y95qm9/pUcWImEKr+9EKwNDZe
         I3edy00b9r6/fFn2PPCajB8M0vOa1qFLqcURE=
MIME-Version: 1.0
Received: by 10.229.96.13 with SMTP id f13mr741868qcn.36.1245856355525; Wed,
	24 Jun 2009 08:12:35 -0700 (PDT)
In-Reply-To: <4A4207CD.10709@apache.org>
References: <529a33110906232038n101d58f3v2babf4ab6d76e905@mail.gmail.com>
	 <4A4207CD.10709@apache.org>
Date: Wed, 24 Jun 2009 23:12:35 +0800
Message-ID: <529a33110906240812j3021993dn4fc901d0f656879@mail.gmail.com>
Subject: Re: Help: auth-constraint with Tomcat 6
From: Clement Chong <ehchong@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary=0016368324828325e4046d1989fd
X-Virus-Checked: Checked by ClamAV on apache.org

--0016368324828325e4046d1989fd
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi Tim,

Basically the first realm contains list of users we want to deny access. The
password would be dynamic, making it difficult to get through. Well, maybe I
should really consider working with specific roles. That is, grant users
with roles that would allow them access. Then I would probably just need a
single realm for authentication.

However, this would mean almost all users require such a role granted except
for some whom we like deny access. Then every new users would also probably
need granted the role. A little extra work there, besides working with IT to
get the new role setup.. A black list would work better than a white list in
this case.


Thanks,
Clement

On Wed, Jun 24, 2009 at 7:02 PM, Tim Funk <funkman@apache.org> wrote:

> Do you really want to have allow different passwords for the same user id?
> Sounds dangerous.
>
> For different access control restrictions you needs to set up various
> roles, which are names chosen by you. Which can be something like
> - reader, writer
> - admin, superuser, user
> - it, sales, marketing, hr
>
> Then your role names * would be gone and you would need a
> <security-constraint> for each resource category you need to protect.
> (Google for more details on <security-constraint> for more help on that)
>
> -Tim
>
>
> Clement Chong wrote:
>
>> Hi tomcat users,
>>
>> I am using Tomcat 6.0.20 and have successfully implemented a lockout realm
>> with nested JDBCRealm and JNDIRealm. The security constraint has also been
>> setup in my application WEB-INF/web.xml file:
>>
>> <auth-constraint>
>>      <!-- Anyone with one of the listed roles may access this area -->
>>      <role-name>*</role-name>
>> </auth-constraint>
>>
>> User is now authenticated via JDBCRealm followed by JNDIRealm and would be
>> able to access protected pages with any role.
>>
>> The question I have is how can I deny a group of users with a particular
>> role to all protected pages even if they can provide correct combination
>> of
>> username/password?
>>
>> Would it also be possible to change the behavior of the
>> combinedRealm/LockoutRealm such that if username is found in prior realm
>> and
>> password is incorrect, then it skips the other realms? It only look into
>> the
>> other realms if username is not found in prior realms.
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

--0016368324828325e4046d1989fd--