If you want to give user's dynamic permissions at runtime, you could add a filter on top of container managed authentication (CMA). CMA is nice b/c you can use any authenticate with LDAP, a database (my example uses MySQL), or a flat file - or even an NT Domain.
You'll probably have to setup some sort of system that defines "who can see what" - so you'll eventually (probably) end up implementing some sort of roles/groups - unless you're planning on checking for individual usernames or some such attribute before allowing access. Tomcat's security constraint stuff is the same thing as CMA. HTH, Matt -----Original Message----- From: David Erickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 11:54 AM To: Struts Users Mailing List Subject: Re: Webapp Security? Is it based on using security restraints and having all your users set into groups in the tomcat-users.xml file? If so our problem is we don't want to have users based into groups but want to give permissions to users individually to many different things.. and we want to store our users in a database rather than tomcat's xml file.. if I am mistaken on how this works please correct me =) (I havn't actually looked at it, I've just looked at tomcat's security restraint stuff before) -David ----- Original Message ----- From: "Raible, Matt" <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> Sent: Wednesday, July 02, 2003 11:47 AM Subject: RE: Webapp Security? > How about using container managed security with tomcat's realms? It works > great for me. > > Here's an example app if you're interested: http://tinyurl.com/fuvq > > HTH, > > Matt > > -----Original Message----- > From: David Erickson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 02, 2003 11:27 AM > To: Struts Mailing List > Subject: Webapp Security? > > > Just curious how others have gone about protecting the resouces within their > webapp.. in our personal setup we would like to control access to every > resource if possible, we have our own custom login page that sets session > variables, and pulls the data from the database. > > We can authenticate people with code in each of the actions, but nothing is > preventing someone from directly going to a jpg or a jsp file or anything of > the like. What I thought about doing was subclassing the tomcat connectors, > the default, the jsp one, and the struts one and then authenticating each > request.. but that adds a lot of overhead. Anybody have any other good > ideas? We'd like to stick with just tomcat 4.1.24... no apache (no > .htaccess).. what is everyone else implementing? > -David > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
