Hello. I'm quite new in the "Programming towards J2EE" business so bare with me if I missed some basic point. (Or if this mail on this mailing list is totally off topic)
I'm developing an application that will serve as a web base file storage archive. Customers will receive login credentials and be able to access projects that they have been assigned (read: groups). There must also be a anonymous "mode" where projects that have an anonymous flag will be shown and allowed access. What I'm looking to construct is something like this: User requests servlet at /access/test/. Parsing is done and a question is popped to a database looking for the project "test". Test is found and is anonymous. File listing is shown. User requests servlet at /access/secret1/. Parsing is done and a question is popped to a database looking for the project "secret1". Secret1 is found but is not anonymous - user is redirected to a FROM-login. User logs in and file listing is shown. User requests servlet at /access/secret2/. Parsing is done and a question is popped to a database looking for the project "secret2". Secret2 is found but is not anonymous and not assigned to User1 - user is redirected to an Access Denied-page. I'm aware that it's possible to add security constraints to every single /access/secret1, /access/secret2, /access/secret3 and so on, but that is no fun. Also, I would need to add a role for each project. Basically what I want is some sort of dynamic role and security constraint injection. What I've understood this is commonly solved using a filter - but when I look at the existing functionality it comes annoyingly close to what I need. Although, if filter is the J2EE way to solve this it brings me to my next question: How do I manual test logins to the applications security realm? Greetings, -- Christian Svensson Command Systems
