-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 5/15/2009 7:36 AM, André Warnier wrote: > Shashank Rachamalla wrote: >> Hi! >> Is there any way to configure <security-constraint> for a webapp to >> disable authentication and authorization for a particular IP address and >> enable it for all other IP addresses. >> > Probably not, since I doubt that this is foreseen by the Servlet > Specification. > But I can think of a way, subject to confirmation by an expert on this > list : > > You could write a simple servlet filter, which checks the caller's IP > address, and if it matches, sets the user-id in the session to some > pre-determined value. You can't really do this in a filter because you can't set the user's principal at that high level. You'd have to at least use a Valve, so you could get to the underlying guts in Tomcat required for such a feat. You'd also have a problem trying to determine which roles to give the user. Maybe you could hard-code (or soft-code, by listing the roles in <init-param> elements for the filter/valve) the role values that you want, and just all of the roles you recognize in your application. > It is possible that when the authentication code finds out that there is > already a user set, it would just return OK and let the call through. This is possible using securityfilter, since the UserPrincipal is simply a session attribute. If you put the right attribute in the session, sf will use that as the currently-logged-in user and perform the authorization steps against them. > And for your application code, it would be easier to deal with a case > where there is always a user-id (even if one is a dummy), than have to > deal with some cases where it is not set, no ? I think this is a good idea. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoNdSYACgkQ9CaO5/Lv0PB2oQCgmtdj86LBGBzEt1cjD63f5KW5 Y0kAoMOQarWqUHIsH1lSgP09P4LKFYrI =MO9W -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
