For authorizing URLs in your application, you may be all right with defining the correct security constraints in your web.xml. This is relatively limited due to the types of patterns you can use in web.xml, but the good thing is that the container takes care of it. For this to work you have to define a set of urls in your app that you can easily match in web.xml. For example, something like:
/ /customers/list /customers/edit ...
But for finer granularity, you may have to use the Request Security generator (or use directly the Java APIs if you need access control from Java). For example, authorizing a user to access certain pages only during the weekends is not something you can do in web.xml.
Also, as mentioned in the previous email, you may have to take different actions depending on usernames and roles (for example to implement data-based security). In such cases, you will also need to access the username and roles from the application.
Practically, we tend to use both approaches: security constraints in web.xml for basic authorization, and use of username / roles in the application for more complex cases.
-Erik
Matt Allen wrote:
> Hi Damon,
>
> All very interesting. Our App is currently all PHP so knows nothing
> of "Roles" as such. We use internal roles, i.e.:
>
> 1. user
> 2. team leader
> 4. auditor
> 8. admin
>
> And bit shift them to see if a given user can access that page (in
> php: if (!role & page_protect) { //kick them out }}
>
> Now, not knowing a hell of a lot about Java, should my application
> actually use low level Java roles? Or should I just be happy for my
> role based auth to happen at the app level?
>
> Cheers,
> Matt
_______________________________________________ oxf-users mailing list [EMAIL PROTECTED] http://mail.orbeon.com/mailman/listinfo/oxf-users
