You would need to combine to security philosphies - container based security - programmer based security
The first is done via web.xml and mathcing URL's against given roles. When that is not enough, then you need to use programmtic security. You use the HttpServletRequest objects instance method's getPrincipal, getRemoteUser, or isUserInRole to decide ig the user can do what you want.
The jey point is the servlet spec only places security constraint on the *incoming* URL. (for 2.3 --> tomcat 4.x)
-Tim
John MccLain wrote:
How would I get Tomcat to use a database table instead of the web or server .xml files' <security-constraint>.<auth-constraint>.<role-name> to enforce authorization? I would prefer to have objects in my webapp to have configurable authorization applied to them outside of tomcat configuration files; Done more like JDBCRealm authentication.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
