On Wed, 28 Aug 2002, jfc wrote:
> Date: Wed, 28 Aug 2002 14:11:51 +0000
> From: jfc <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: tomcat-user <[EMAIL PROTECTED]>
> Subject: does authorization occurr for each request?
>
> Hi,
>
> A question re declarative security and form-based authentication and
> subsequent request authorization:
>
> Can anyone confirm whether or not authorization(i.e. role checking) is
> repeated for each request(to a secured resource) after a user has been
> authenticated?
>
Yes, it is. The URL from each request is matched against the security
constraints you have defined, and the specified role restrictions are
enforced on every request.
> There would be times when a subsequent request comes in to a resource
> secured under a role which is higher or lower within the applications
> user hierarchy and I need to know what behaviour tomcat implements.
>
Tomcat doesn't know anything about "higher" or "lower" roles. It only
asks whether a user has one of the roles listed in the security
constraint.
> Tomcat will surely have a list of valid roles for a particular
> authenticated user right? This would make sense as a check can be
> performed as and when required to determine whether or not the user has
> been assigned the required role.
>
In the default Realm implementations, the list of roles assigned to a user
is cached in the Principal object that resulted from authentication, so
the role checking is an in-memory lookup in a HashMap. However, it's
perfectly reasonable to implement a Realm that goes to a database (or some
other external source of information) every time -- especially useful in
scenarios where the set of roles might be changing (such as a role that
says "can use this URL from 8am to 5pm on weekdays").
> jfc
>
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
