The mapping of roles to OS users/groups was only an example, I could
have used other names or groups of whatever realm, the example clarifies
things, because most people know the root user in Unix, and the
Administrator user in Windows.
Observation: I can in fact simply, map roles to OS users and groups,
using a JAAS LoginModule. There are LoginModules for Unix and Windows.
The <role-link> in the <security-role-ref> is for a different purpose. I
think that is well clarified in the specification. In the case of a
webapp, is just a way to link, different roles to single <security-role>
in a single webapplication. This way you can unify different role names
with the same "role" to a unique role. This makes deployment less
painful, and you can reuse code in different webapps
The <security-role-ref> is only for <servlet>, so imagine I have a jsp,
that uses logic to check for a role, just to show different options to a
user:
Example
<logic:hasRole name="AdminRole">
My presentation code for Admin role here
</logic:hasRole>
I can't use a <security-role-ref> for a jsp.
I know I can have in Tomcat different realms webapps, but I want to
share the same.
In a production environment it is not acceptable, that everytime I want
to deploy a new webapp, and in that webapp I have a new role name (that
does not, and maybe it should not) exist in the realm, I must register
that role in the realm. Lets suppose we have 100 webapplications, each
webapplication as role named AdminRole<n> where n is 1, 2, ...., 100.
With Tomcat I must register in my realm the roles AdminRole1,...,
AdminRole100 just to run that WebApplications. If Tomcat supported role
mapping per web application and the deployer decided that each AdminRole
will map to a group named Admin in the realm, that was simple to do.
Craig R. McClanahan wrote:
>
>Note that you cannot map roles to real operating system users, because all
>of this stuff runs in a single JVM process, which (from the point of view
>of the operating system) has only a single user identity. However, it's
>possible to use your OS level facilities for authentication by setting up
>a JAASRealm appropriately -- although IMHO this has security risks,
>because the username and password are sent across the network unencrypted
>unless you use SSL for everything. But authenticating this way still has
>no impact on the Tomcat JVM -- unless you start it as root initially,
>there is no way for an authenticated web application user to gain root
>access privileges at the OS level.
>
>The general mechanism for role mapping that you are looking for is the
><security-role-ref> element nested inside a <servlet> element (which
>Tomcat does support). To deal with the multiple webapps case, you can
>either use the role mapping, or set up a separate Realm for each webapp,
>by nesting a <Realm> element inside <Context> in your server.xml file.
>
--
Bruno Antunes,
Java Software Engineer
email: mailto:[EMAIL PROTECTED]
Phone: +351.21.7994200
Fax : +351.21.7994242
WhatEverSoft - Java Center
Centro de Competencia Java
Praca de Alvalade, 6 - Piso 4
1700-036 Lisboa - Portugal
URL: http://www.whatevernet.com
_____________________________________________________________________
INTERNET MAIL FOOTER
A presente mensagem pode conter informa��o considerada confidencial.
Se o receptor desta mensagem n�o for o destinat�rio indicado, fica
expressamente proibido de copiar ou endere�ar a mensagem a terceiros.
Em tal situa��o, o receptor dever� destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
