If you switch to using a realm, you can use wildcards in the constraints so that it applies to a whole directory?
Whether this is useful obviously depend on whether you have all your JSPs in the same directory or you could have a *.jsp wildcard to cover all jsps. Will depend on your naming conventions for the servlets. - Duncan www.pennymail.com Riaan Oberholzer wrote: > Hi, > > I have a web-app that defines different roles, so a > user do not have access to all jsp/servlets in the > web-app. Depending on his role. An admin user e.g. can > see pages to edit data, while a 'normal' user can only > view it. > > What's the best way to enforce this security? > > I am no doing it by storing the user object (once > logged in) in the session and per jsp/servlet checking > his status as the very first action. Its works well, > so should I keep this or move to using a realm? > > If I do move to a Realm, I assume I would have to set > up a security constraint for every jsp/servlet (or > groups thereof? Any hints & tips to optimize this? > > Thanks > > __________________________________ > Do you Yahoo!? > New Yahoo! Photos - easier uploading and sharing. > http://photos.yahoo.com/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]