Given that I've authenticated someone, using JNDIRealm, can I then operate with their permissions on the server? IE, if they authenticate to Tomcat in JNDIRealm, do I get access to files that carry their NT permissions?
Uhh, I'm not entirely sure, but I'd eat my proverbial hat if a user logged-in to your web application (using J2EE-style j_security_check, right?) and then could access any of their files on the server.
Tomcat should run with a particular user's privs. If you run it as Administrator, then you'll open your whole system up to file theft (is that your concern?).
You should run Tomcat as a user with very little access. On UNIX systems, it's common to either use the "nobody" user or create a user under which Tomcat will run.
Tomcat doesn't assume the privs of a user that has successfully logged-in to your application. So, you can't use Tomcat as a file-server unless it actually is running as Administrator or the user whose files you want to read.
There may be a way to authenticate directly with NT and then request files through some other mechanism, but you can't just open up a FileInputStream to anything you want :)
-chris
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
