Re: requiring multiple roles for access
Barry, Regarding your method below, do you catch this method in JSP or somewhere else? Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I don't know about disabling users, as I haven't tried something like that, and there may be ways of tiering the access in regards to roles, which I technically haven't tried either. But what I have is a group of people who absolutely have to access one portion, and then some admins who have to access another. But for reasons you can probably imagine, I certainly don't want it wide open to anyone with an account. So I've got it gated as such in this manner. Does this make sense? Another thing I did was run separate select queries from the users and approvers table, one I created and linked together by a unique ID. If someone contained one role, they could access this section. If not, in another case, an exception is thrown, which I didn't catch properly right away, but it doesn't let that user into the section. Let me know if you need more insight into it. Good luck with it Ryan! -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 2:22 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, I'm looking for a way to disable the user by taking them out of one role, but leaving them in the roles they were in before they were disabled (for informational purposes). I didn't think it would be possible, but I wanted to throw it out there in case I missed something. What you are suggesting may also be suitable. Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I know you can assign different roles to an app, and to a user, and make that user need one role to get to one part and an additional role to access a separate part of the app, but the entire app? Not sure about that. I've got people in my users table that have to have multiple roles for several tasks within my app. If they only have one role, they're able to do a certain part of the app, but not all of it. Is this what you're trying to accomplish? -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 8:39 AM To: users@tomcat.apache.org Subject: requiring multiple roles for access Hi All, I would like to require a user to belong to two roles to access a certain application (i.e. user must belong to role1 AND role2 to access). I've tried the following in my web.xml auth-constraint role-namerole1/role-name role-namerole2/role-name /auth-constraint Unfortunately, this doesn't seem to work (it seems to allow role1 OR role2). Is what I'm trying to do possible?? Thanks, Ryan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: requiring multiple roles for access
Barry, This is a good implementation, and yes, it does make sense. I did go with a different implementation, though, essentially I created a new table that stores the users previous roles and timestamp them when the user is disabled. When they are re-enabled, I just put the role data back into the roles table so there's no change in their previous access. This way, the JSP developers don't have to think about it, it just happens in the background. It's probably not the best implementation, but it'll do ;-). By the way, I've given up on the role combo login, I was just hoping when I wrote that one. Thanks, Ryan On 3/22/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: Hey Ryan, I didn't end up catching it, only because the people getting the email that would log in to the voting section, it doesn't come into play for them. In other words, if they get the email, they're already in the DB as a user and have the necessary role. If I was going to catch it, I'd need to catch it in this JSP, the way I wrote it. The architecture I used on this one file was not ideal, as I have three select query statements residing within it. What I could stand to do, and would do, is catch it in the JSP, but probably by the declared string variable I have, called jrole. jrole in this case is the one of admin, service, legal, risk, etc. So if they're not one of four roles, I need to throw in a catch block for the SQL Exception there, otherwise I'd get an exhausted results set error, or invalid cursor state, if it can't find the matching role. Does this make sense? Or help you any? Sorry if it wasn't of more help. Let me know. And let me know moreso the way your site/app is structured; for example, who needs to go to a protected area, what roles, etc. I don't think you can make it have a dual/double login layer. Wouldn't make too much sense anyway as they'd have to use the same combo and that would defeat the session purpose anyway. -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 9:35 AM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, Regarding your method below, do you catch this method in JSP or somewhere else? Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I don't know about disabling users, as I haven't tried something like that, and there may be ways of tiering the access in regards to roles, which I technically haven't tried either. But what I have is a group of people who absolutely have to access one portion, and then some admins who have to access another. But for reasons you can probably imagine, I certainly don't want it wide open to anyone with an account. So I've got it gated as such in this manner. Does this make sense? Another thing I did was run separate select queries from the users and approvers table, one I created and linked together by a unique ID. If someone contained one role, they could access this section. If not, in another case, an exception is thrown, which I didn't catch properly right away, but it doesn't let that user into the section. Let me know if you need more insight into it. Good luck with it Ryan! -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 2:22 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, I'm looking for a way to disable the user by taking them out of one role, but leaving them in the roles they were in before they were disabled (for informational purposes). I didn't think it would be possible, but I wanted to throw it out there in case I missed something. What you are suggesting may also be suitable. Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I know you can assign different roles to an app, and to a user, and make that user need one role to get to one part and an additional role to access a separate part of the app, but the entire app? Not sure about that. I've got people in my users table that have to have multiple roles for several tasks within my app. If they only have one role, they're able to do a certain part of the app, but not all of it. Is this what you're trying to accomplish? -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 8:39 AM To: users@tomcat.apache.org Subject: requiring multiple roles for access Hi All, I would like to require a user to belong to two roles to access a certain application (i.e. user must belong to role1 AND role2 to access). I've tried the following in my web.xml auth-constraint role-namerole1/role-name role-namerole2/role-name /auth-constraint Unfortunately, this doesn't seem to work (it seems to allow role1 OR role2). Is what I'm trying to do possible?? Thanks, Ryan
RE: requiring multiple roles for access
oh, ok. I'd say your solution's pretty plausible. I've just now had to retool my users table a bit adding a timestamp for auth purposes, too. I've just got the one extra table that allows people to be in multiple categories, yet confined to the one role in the users_role table. -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 2:39 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, This is a good implementation, and yes, it does make sense. I did go with a different implementation, though, essentially I created a new table that stores the users previous roles and timestamp them when the user is disabled. When they are re-enabled, I just put the role data back into the roles table so there's no change in their previous access. This way, the JSP developers don't have to think about it, it just happens in the background. It's probably not the best implementation, but it'll do ;-). By the way, I've given up on the role combo login, I was just hoping when I wrote that one. Thanks, Ryan On 3/22/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: Hey Ryan, I didn't end up catching it, only because the people getting the email that would log in to the voting section, it doesn't come into play for them. In other words, if they get the email, they're already in the DB as a user and have the necessary role. If I was going to catch it, I'd need to catch it in this JSP, the way I wrote it. The architecture I used on this one file was not ideal, as I have three select query statements residing within it. What I could stand to do, and would do, is catch it in the JSP, but probably by the declared string variable I have, called jrole. jrole in this case is the one of admin, service, legal, risk, etc. So if they're not one of four roles, I need to throw in a catch block for the SQL Exception there, otherwise I'd get an exhausted results set error, or invalid cursor state, if it can't find the matching role. Does this make sense? Or help you any? Sorry if it wasn't of more help. Let me know. And let me know moreso the way your site/app is structured; for example, who needs to go to a protected area, what roles, etc. I don't think you can make it have a dual/double login layer. Wouldn't make too much sense anyway as they'd have to use the same combo and that would defeat the session purpose anyway. -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 9:35 AM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, Regarding your method below, do you catch this method in JSP or somewhere else? Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I don't know about disabling users, as I haven't tried something like that, and there may be ways of tiering the access in regards to roles, which I technically haven't tried either. But what I have is a group of people who absolutely have to access one portion, and then some admins who have to access another. But for reasons you can probably imagine, I certainly don't want it wide open to anyone with an account. So I've got it gated as such in this manner. Does this make sense? Another thing I did was run separate select queries from the users and approvers table, one I created and linked together by a unique ID. If someone contained one role, they could access this section. If not, in another case, an exception is thrown, which I didn't catch properly right away, but it doesn't let that user into the section. Let me know if you need more insight into it. Good luck with it Ryan! -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 2:22 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, I'm looking for a way to disable the user by taking them out of one role, but leaving them in the roles they were in before they were disabled (for informational purposes). I didn't think it would be possible, but I wanted to throw it out there in case I missed something. What you are suggesting may also be suitable. Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I know you can assign different roles to an app, and to a user, and make that user need one role to get to one part and an additional role to access a separate part of the app, but the entire app? Not sure about that. I've got people in my users table that have to have multiple roles for several tasks within my app. If they only have one role, they're able to do a certain part of the app, but not all of it. Is this what you're trying to accomplish? -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 8:39 AM To: users
Re: requiring multiple roles for access
Yeh, this project is moving pretty fast, so I'm going with some quick solutions that may or may not be elegant :-) If I get a chance to revisit this, I'm going to try your solution. Thanks again for all your help. - Ryan On 3/22/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: oh, ok. I'd say your solution's pretty plausible. I've just now had to retool my users table a bit adding a timestamp for auth purposes, too. I've just got the one extra table that allows people to be in multiple categories, yet confined to the one role in the users_role table. -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 2:39 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, This is a good implementation, and yes, it does make sense. I did go with a different implementation, though, essentially I created a new table that stores the users previous roles and timestamp them when the user is disabled. When they are re-enabled, I just put the role data back into the roles table so there's no change in their previous access. This way, the JSP developers don't have to think about it, it just happens in the background. It's probably not the best implementation, but it'll do ;-). By the way, I've given up on the role combo login, I was just hoping when I wrote that one. Thanks, Ryan On 3/22/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: Hey Ryan, I didn't end up catching it, only because the people getting the email that would log in to the voting section, it doesn't come into play for them. In other words, if they get the email, they're already in the DB as a user and have the necessary role. If I was going to catch it, I'd need to catch it in this JSP, the way I wrote it. The architecture I used on this one file was not ideal, as I have three select query statements residing within it. What I could stand to do, and would do, is catch it in the JSP, but probably by the declared string variable I have, called jrole. jrole in this case is the one of admin, service, legal, risk, etc. So if they're not one of four roles, I need to throw in a catch block for the SQL Exception there, otherwise I'd get an exhausted results set error, or invalid cursor state, if it can't find the matching role. Does this make sense? Or help you any? Sorry if it wasn't of more help. Let me know. And let me know moreso the way your site/app is structured; for example, who needs to go to a protected area, what roles, etc. I don't think you can make it have a dual/double login layer. Wouldn't make too much sense anyway as they'd have to use the same combo and that would defeat the session purpose anyway. -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 9:35 AM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, Regarding your method below, do you catch this method in JSP or somewhere else? Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I don't know about disabling users, as I haven't tried something like that, and there may be ways of tiering the access in regards to roles, which I technically haven't tried either. But what I have is a group of people who absolutely have to access one portion, and then some admins who have to access another. But for reasons you can probably imagine, I certainly don't want it wide open to anyone with an account. So I've got it gated as such in this manner. Does this make sense? Another thing I did was run separate select queries from the users and approvers table, one I created and linked together by a unique ID. If someone contained one role, they could access this section. If not, in another case, an exception is thrown, which I didn't catch properly right away, but it doesn't let that user into the section. Let me know if you need more insight into it. Good luck with it Ryan! -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 2:22 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, I'm looking for a way to disable the user by taking them out of one role, but leaving them in the roles they were in before they were disabled (for informational purposes). I didn't think it would be possible, but I wanted to throw it out there in case I missed something. What you are suggesting may also be suitable. Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I know you can assign different roles to an app, and to a user, and make that user need one role to get to one part and an additional role to access a separate part of the app, but the entire app? Not sure about that. I've got people in my users table that have to have multiple roles for several tasks within my app
RE: requiring multiple roles for access
you betif you want me to send you any sample code or my table structure, FWIW, I'll be glad to. -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 5:33 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Yeh, this project is moving pretty fast, so I'm going with some quick solutions that may or may not be elegant :-) If I get a chance to revisit this, I'm going to try your solution. Thanks again for all your help. - Ryan On 3/22/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: oh, ok. I'd say your solution's pretty plausible. I've just now had to retool my users table a bit adding a timestamp for auth purposes, too. I've just got the one extra table that allows people to be in multiple categories, yet confined to the one role in the users_role table. -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 2:39 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, This is a good implementation, and yes, it does make sense. I did go with a different implementation, though, essentially I created a new table that stores the users previous roles and timestamp them when the user is disabled. When they are re-enabled, I just put the role data back into the roles table so there's no change in their previous access. This way, the JSP developers don't have to think about it, it just happens in the background. It's probably not the best implementation, but it'll do ;-). By the way, I've given up on the role combo login, I was just hoping when I wrote that one. Thanks, Ryan On 3/22/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: Hey Ryan, I didn't end up catching it, only because the people getting the email that would log in to the voting section, it doesn't come into play for them. In other words, if they get the email, they're already in the DB as a user and have the necessary role. If I was going to catch it, I'd need to catch it in this JSP, the way I wrote it. The architecture I used on this one file was not ideal, as I have three select query statements residing within it. What I could stand to do, and would do, is catch it in the JSP, but probably by the declared string variable I have, called jrole. jrole in this case is the one of admin, service, legal, risk, etc. So if they're not one of four roles, I need to throw in a catch block for the SQL Exception there, otherwise I'd get an exhausted results set error, or invalid cursor state, if it can't find the matching role. Does this make sense? Or help you any? Sorry if it wasn't of more help. Let me know. And let me know moreso the way your site/app is structured; for example, who needs to go to a protected area, what roles, etc. I don't think you can make it have a dual/double login layer. Wouldn't make too much sense anyway as they'd have to use the same combo and that would defeat the session purpose anyway. -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 9:35 AM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, Regarding your method below, do you catch this method in JSP or somewhere else? Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I don't know about disabling users, as I haven't tried something like that, and there may be ways of tiering the access in regards to roles, which I technically haven't tried either. But what I have is a group of people who absolutely have to access one portion, and then some admins who have to access another. But for reasons you can probably imagine, I certainly don't want it wide open to anyone with an account. So I've got it gated as such in this manner. Does this make sense? Another thing I did was run separate select queries from the users and approvers table, one I created and linked together by a unique ID. If someone contained one role, they could access this section. If not, in another case, an exception is thrown, which I didn't catch properly right away, but it doesn't let that user into the section. Let me know if you need more insight into it. Good luck with it Ryan! -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 2:22 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Barry, I'm looking for a way to disable the user by taking them out of one role, but leaving them in the roles they were in before they were disabled (for informational purposes). I didn't think it would be possible, but I wanted to throw it out there in case I missed something. What you are suggesting may also be suitable. Thanks, Ryan
requiring multiple roles for access
Hi All, I would like to require a user to belong to two roles to access a certain application (i.e. user must belong to role1 AND role2 to access). I've tried the following in my web.xml auth-constraint role-namerole1/role-name role-namerole2/role-name /auth-constraint Unfortunately, this doesn't seem to work (it seems to allow role1 OR role2). Is what I'm trying to do possible?? Thanks, Ryan
RE: requiring multiple roles for access
From: Ryan [mailto:[EMAIL PROTECTED] Subject: requiring multiple roles for access I would like to require a user to belong to two roles to access a certain application (i.e. user must belong to role1 AND role2 to access). I've tried the following in my web.xml auth-constraint role-namerole1/role-name role-namerole2/role-name /auth-constraint Unfortunately, this doesn't seem to work (it seems to allow role1 OR role2). As expected; to quote from the servlet spec: A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. Is what I'm trying to do possible?? The easiest way might be just to define a separate role for this purpose rather than trying to piggy-back off combinations. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: requiring multiple roles for access
Barry, I'm looking for a way to disable the user by taking them out of one role, but leaving them in the roles they were in before they were disabled (for informational purposes). I didn't think it would be possible, but I wanted to throw it out there in case I missed something. What you are suggesting may also be suitable. Thanks, Ryan On 3/21/07, Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: I know you can assign different roles to an app, and to a user, and make that user need one role to get to one part and an additional role to access a separate part of the app, but the entire app? Not sure about that. I've got people in my users table that have to have multiple roles for several tasks within my app. If they only have one role, they're able to do a certain part of the app, but not all of it. Is this what you're trying to accomplish? -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 8:39 AM To: users@tomcat.apache.org Subject: requiring multiple roles for access Hi All, I would like to require a user to belong to two roles to access a certain application (i.e. user must belong to role1 AND role2 to access). I've tried the following in my web.xml auth-constraint role-namerole1/role-name role-namerole2/role-name /auth-constraint Unfortunately, this doesn't seem to work (it seems to allow role1 OR role2). Is what I'm trying to do possible?? Thanks, Ryan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: requiring multiple roles for access
Chuck, I think you and Barry are correct, I will probably to define another role for this purpose and segregate different parts of the application. Thanks, Ryan On 3/21/07, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Ryan [mailto:[EMAIL PROTECTED] Subject: requiring multiple roles for access I would like to require a user to belong to two roles to access a certain application (i.e. user must belong to role1 AND role2 to access). I've tried the following in my web.xml auth-constraint role-namerole1/role-name role-namerole2/role-name /auth-constraint Unfortunately, this doesn't seem to work (it seems to allow role1 OR role2). As expected; to quote from the servlet spec: A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. Is what I'm trying to do possible?? The easiest way might be just to define a separate role for this purpose rather than trying to piggy-back off combinations. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: requiring multiple roles for access
yeah and you might even add another table to tie it in, too. I've done that as well. Tomcat requires the users and user_roles tables, but that doesn't inhibit you from customizing it further if needed. -Original Message- From: Ryan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 2:28 PM To: Tomcat Users List Subject: Re: requiring multiple roles for access Chuck, I think you and Barry are correct, I will probably to define another role for this purpose and segregate different parts of the application. Thanks, Ryan On 3/21/07, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Ryan [mailto:[EMAIL PROTECTED] Subject: requiring multiple roles for access I would like to require a user to belong to two roles to access a certain application (i.e. user must belong to role1 AND role2 to access). I've tried the following in my web.xml auth-constraint role-namerole1/role-name role-namerole2/role-name /auth-constraint Unfortunately, this doesn't seem to work (it seems to allow role1 OR role2). As expected; to quote from the servlet spec: A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. Is what I'm trying to do possible?? The easiest way might be just to define a separate role for this purpose rather than trying to piggy-back off combinations. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]