Hi Mike, you are right. JAAS with with the Authorization part is not constructed for j2ee Applications. Authentication works fine, but the Authorizationpart you have to implement yourself. I am doing something like this, because I didn`t found any other solution.
I authenticate with JAAS on a JSP (without an Applet). The Authorization runs like the policy grants, but on xml. On every request I go to an ActionServlet (struts) witch send a request to an Authorizationservlet. This servlet checks for the rights for this directory and sends his response back to the ActionServlet. On this result will be the correct forwart taken. I hope it will be working, because I am on it, now. I hope there will be soon an non (struts) ;-) solution or something like that. Juraj -----Ursprüngliche Nachricht----- Von: Mike Jackson [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 7. Februar 2002 16:27 An: Tomcat Users List Betreff: Re: protect websites with jaas I tried to do something like that. But I found that with jaas all I got was the permissions of the user that was running tomcat. After reading and playing a bit more I concluded that I'd need an applet running on the web client in order to get jaas to work for me. And with the restrictions on applets I decided that wasn't worth it either. However, I could have misunderstood something or been doing it wrong, but that's my experience. You mileage may vary, some assembly required, batteries not included. --mikej -=----- mike jackson [EMAIL PROTECTED] ----- Original Message ----- From: "juraj Lenharcik" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 07, 2002 2:12 AM Subject: protect websites with jaas > Hello, > > I have build an application with an authentication with a NT Domain. I have > some authorization aspects, too. That means, not every authenticated user > has the rights to do some actions. > > I have port this application to a webapp. The authentication part works > fine. The user has to input his name and password an will be authenticate or > not. But with the authorization part I have some problems. > > What is the best way to protect some sites with Jaas. I mean the user1 has > the right to run some jsp`s, but user2 has this right not. > > On the application site I do this grants in the policy like: > > grant codebase "file:./MyTest.jar", Principal NTPrincipal "user1"{ > permission java.util.PropertyPermission "user.dir", "read"; > permission java.util.PropertyPermission "user.home", "read"; > permission java.util.PropertyPermission "java.home", "read"; > permission java.io.FilePermission "foo.txt", "read"; > }; > > But has anyone an idea, or has it implemented for websites. I am not sure > what the best concept is. I think the server should take some work on this, > so that I can grant it like: > > server.accessFantasyPermission"htdocs/jsp1", "read"; > permission > > Is it possible to do something like this? > > Thank you > Juraj > > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>