On 3/17/06, Alessandro Colantoni <[EMAIL PROTECTED]> wrote: > Hi! and good morning (but probably we 're on different continents) > > I don't undertand the last pos where you say. > >I had the impression he already had.. I don't get how posting this > >helps, i must have misunderstood something.. Can you explain please? > > Anyway thanks for accurate explication. > I'll go studing how to write the filter class > I think that as you say the right way is to have at least one role mapped on > web.xml, forbid to delete it from database and ensure all user have this > rol. > So I can still use the yet configured container based authentication. > Than check for permission in each page in the filter class, or, i was > thinking check it directly in the jsp. > I was thinking write a taglib to do so. (that should check if the user has > at least a role that has at least one of the permissions for this page) > Wich is the difference between jsp solution and filter class solution? > Is filter class more secure?
Its more secure in that you don't depend on jsp folk on getting it right, given that your having to do some view controller stuff in your db it would seem a shame not to control this in a filter... You can also disactivate the filter during development and let jsp folk write decent markup, without giving them the secondary problem of secuirty logic. You could just write a simple bean (as an other option) and use the trusty useBean tag, but you'll be depending on jsp folk on getting this right.. A filter is just tidier.. > Thanks a lot > Ciao! > > PS . good italian. What does it mean schete? My bad spelling for "scelte" mark > > > > On 3/17/06, Mark Lowe <[EMAIL PROTECTED]> wrote: > > > > On 3/17/06, Mark Space <[EMAIL PROTECTED]> wrote: > > > Alessandro Colantoni wrote: > > > > > > > Thanks for rapid answer! > > > >What do you mean with filter the roles of second level. > > > >How can I do that? if they are not in the auth-constraint and in the > > role > > > >name list they can't access. > > > >have O to write a filter class? in this class retrieve the role of the > > user > > > >and if is one of the second level skip the container authentication? > > > >I'm in the right way or I misunderstand all? > > > > > > > > > > > Or you could try this: > > > http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html > > > > I had the impression he already had.. I don't get how posting this > > helps, i must have misunderstood something.. Can you explain please? > > > > Mark > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
