"Bailey, Jeff A" wrote:
> Hello folks,
>
> I think this question may be more j2ee than simply model 2 related, but
> thought I would give it a shot here. I would like to utilize the security
> mechanisms built into the j2ee (and servlet 2.2) spec but with a custom
> authentication module.
>
Sounds like a reasonable goal.
>
> More specifically, I want to be able to define security constraints using
> the url-pattern matching techniques in the web.xml portion of my .war (which
> is a portion of my .ear) but use an external application (or servlet or
> whatever) to assign users to groups. This would allow great flexibility
> when it comes to defining which directories, files, servlets, etc are
> protected from which groups, users, and such. My authentication mechanism
> performs authentication against our network servers as assigns individuals
> to groups based on criteria which has been defined by management.
>
The mechanisms by which you do this will be specific to each container, because
there's no standard API. For example, in Tomcat 3.1 you have to extend an existing
class (that does the authentication checks) to interact with your underlying source
of authentication information instead of its default one.
>
> The problem with my current mechanism is that it requires me to code the
> appropriate authentication checks into every jsp and / or servlet which can
> be very tedious when I am changing security on specific files, entire
> subdirectories, or even a full application itself. On the other hand, this
> can be accomplished very easily using the url-pattern matching techniques
> available in the servlet 2.2 spec.
>
> What I am asking is quite possibly not possible, but hopefully you folks can
> give me some alternative approaches to solving this problem. Also, let me
> mention that adding 5500 users and passwords to each application's
> principals.xml is not very feasible as a solution :)
>
> So in conclusion, assuming I can authenticate a user and add this user to a
> group in an "Action class", how can i force the web application server to
> "recognize" these users and respective groups without having to code it into
> each jsp / servlet?
>
The how part is where the answer becomes "it depends". Each container is going to
have to define their own mechanisms for you to integrate. But in concept the use
of declarative security constraints in the web.xml is very attractive for precisely
the kinds of things you are looking for.
>
> Thanks in advance, hopefully this question makes some sense to sombody who
> can provide me with an answer (or idea)
>
> -jeff
>
Craig McClanahan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
