Quick answer is yes. On 8/17/06, Propes, Barry L <[EMAIL PROTECTED]> wrote:
I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -----Original Message----- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: <tomcat-users> <role rolename="role1"/> <role rolename="role2"/> <user username="user1" password="userpass1" roles="role1,role2"/> <user username="user2" password="userpass2" roles="role2"/> </tomcat-users> application's web.xml: <security-constraint> <web-resource-collection> <web-resource-name>Restrict to role1 and role2/> <url-pattern>/welcome.jsp</url-pattern> </web-resource-collection> <auth-contraint> <role-name>role1</role-name> <role-name>role2</role-name> </auth-contraint> </security-contraint> <security-constraint> <web-resource-collection> <web-resource-name>Restrict to role2 only/> <url-pattern>/other.jsp</url-pattern> </web-resource-collection> <auth-contraint> <role-name>role2</role-name> </auth-contraint> </security-contraint> <security-role> <description>some descr</description> <role-name>role1</role-name> <role-name>role2</role-name> </security-role> On 8/17/06, Propes, Barry L <[EMAIL PROTECTED]> wrote: > > to add to my question earlier below, would it be something as simple as? > > String juser= (String) request.getAttribute("j_username"); > > Granted I have no idea what the session attribute is under the hood, only > know that j_username is the input name for the user_name. > > I was thinking with that info, I could then run a select query to extract > the role_name from an additional joined table to authenticate a step > further. Does what I am explaining make sense? Forgive me if not. > > When I say additional table, I mean one in addition to the user_name and > user_roles table that Tomcat requires for the form login security constraint > to work. > > > > -----Original Message----- > From: Propes, Barry L > Sent: Thursday, August 17, 2006 11:13 AM > To: Tomcat Users List > Subject: Security constraint/login form > > > I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a > version on a prod. server and one ony my desktop) that you can create the > simple table titled users and configure it in the server.xml file and then > likewise configure the web.xml file's security constraint properties. > > My question is, can you add other columns to the table and then do a join > on another table as to further enhance security? > > If so, what is involved, and how involved is it? > > Thanks! > > Barry > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Marc Farrow
-- Marc Farrow
