We have an existing client/server application we're re-writing to run the
server-side as Java servlets. The server controls access to a large group
of resources, were access to a resource is granted based on the user and the
groups of which that user is a member.
Clearly we can get the user (usually) from HttpRequest.getRemoteUser().
Realms are a question:
Which realm is used or should we require?
Group membership is a question:
How do you find the groups of which the user is a member?
We could require the native security realm, and then make calls to native
security (yuck).
We could hook into web server specific classes to dial out more security
info (yuck).
Basically
Should we turn the problem around entirely and except the web server to do
all security checking?
This seems to be what the model supports. I suppose then in effect subtrees
would be associated with ACLs, like:
/PathToSecretInfo/* -- ACL associated with /PathToSecretInfo
/PathToPublicInfo/* -- ACL associated with /PathToPublicInfo
Does this work with servlets, where part of the path is a parameter to the
servlet?
For example:
/MyServlet/secrets/* -- where MyServlet is a named servlet
/MyServlet/public/* -- same servlet but different path/parameter
/MyServlet/accounting/*
/MyServlet/sales/eastern/*
Or am I looking at this all wrong? :)
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
