atom feed73 messages in org.apache.tomcat.usersRe: Authentication and Filters
FromSent OnAttachments
Kevin WilsonJan 7, 2003 8:47 am 
Jason PyeronJan 7, 2003 9:08 am 
Turner, JohnJan 7, 2003 9:14 am 
Jason PyeronJan 7, 2003 9:26 am 
Kevin WilsonJan 7, 2003 9:33 am 
Jason PyeronJan 7, 2003 9:41 am 
Turner, JohnJan 7, 2003 10:00 am 
RasputinJan 7, 2003 10:55 am 
Jason PyeronJan 7, 2003 12:40 pm 
Jason PyeronJan 7, 2003 12:47 pm 
Turner, JohnJan 7, 2003 12:58 pm 
nealJan 8, 2003 1:50 am 
Turner, JohnJan 8, 2003 7:15 am 
nealJan 8, 2003 12:54 pm 
nealJan 8, 2003 12:55 pm 
Turner, JohnJan 8, 2003 1:03 pm 
nealJan 8, 2003 1:34 pm 
Gary GwinJan 8, 2003 2:34 pm 
nealJan 8, 2003 2:46 pm 
Turner, JohnJan 8, 2003 3:24 pm 
nealJan 8, 2003 3:44 pm 
Turner, JohnJan 8, 2003 3:51 pm 
nealJan 8, 2003 3:55 pm 
Turner, JohnJan 8, 2003 5:33 pm 
Craig R. McClanahanJan 8, 2003 6:06 pm 
nealJan 8, 2003 6:28 pm 
Noel J. BergmanJan 8, 2003 6:33 pm 
Turner, JohnJan 8, 2003 7:19 pm 
Turner, JohnJan 8, 2003 7:26 pm 
Craig R. McClanahanJan 8, 2003 7:35 pm 
nealJan 8, 2003 11:06 pm 
nealJan 8, 2003 11:11 pm 
nealJan 8, 2003 11:17 pm 
nealJan 8, 2003 11:21 pm 
Craig R. McClanahanJan 8, 2003 11:23 pm 
nealJan 8, 2003 11:37 pm 
Craig R. McClanahanJan 8, 2003 11:51 pm 
nealJan 9, 2003 12:03 am 
Noel J. BergmanJan 9, 2003 12:08 am 
Turner, JohnJan 9, 2003 2:31 am 
Ralph EinfeldtJan 9, 2003 2:41 am 
nealJan 9, 2003 3:51 am 
nealJan 9, 2003 3:53 am 
Turner, JohnJan 9, 2003 5:22 am 
Turner, JohnJan 9, 2003 5:33 am 
Craig R. McClanahanJan 9, 2003 10:01 am 
nealJan 9, 2003 10:02 am 
Turner, JohnJan 9, 2003 11:16 am 
nealJan 9, 2003 11:25 am 
Noel J. BergmanJan 9, 2003 11:43 am 
nealJan 9, 2003 11:47 am 
Turner, JohnJan 9, 2003 12:09 pm 
Turner, JohnJan 9, 2003 12:11 pm 
Noel J. BergmanJan 9, 2003 12:33 pm 
nealJan 9, 2003 1:41 pm 
Turner, JohnJan 9, 2003 1:45 pm 
Jon EavesJan 9, 2003 2:58 pm 
nealJan 9, 2003 4:04 pm 
Jeffrey WinterJan 9, 2003 4:25 pm 
Craig R. McClanahanJan 9, 2003 5:43 pm 
Jeffrey WinterJan 9, 2003 6:10 pm 
Jeffrey WinterJan 9, 2003 6:11 pm 
Tim FunkJan 9, 2003 6:14 pm 
Craig R. McClanahanJan 9, 2003 7:08 pm 
Craig R. McClanahanJan 9, 2003 7:11 pm 
Tim FunkJan 10, 2003 4:29 am 
Jacob HookomJan 10, 2003 6:36 am 
Cox, CharlieJan 10, 2003 6:47 am 
Tim FunkJan 10, 2003 6:52 am 
AAron nAAsJan 10, 2003 7:03 am 
Jacob HookomJan 10, 2003 7:06 am 
Craig R. McClanahanJan 10, 2003 3:53 pm 
nealJan 19, 2003 10:10 pm 
Subject:Re: Authentication and Filters
From:Tim Funk (funk@joedog.org)
Date:Jan 10, 2003 4:29:10 am
List:org.apache.tomcat.users

I meant 2.5 since changes to 2.4 are closed from my position in the dev community.

My point is only the incoming request is protected by the security constraint in web.xml. It may be nice to allow the programmer to also check future dispatches for authorization before the dispatch occurs.

RequestDispatcher.isAuthorized() was to allow an admin to define additional security contraints in web.xml without writing code. This also requires the cooperation of the developer of a webapp to check for this condition too.

Sorry for starting to take this off-topic.

-Tim

Craig R. McClanahan wrote:

On Thu, 9 Jan 2003, Tim Funk wrote:

Date: Thu, 09 Jan 2003 21:15:12 -0500 From: Tim Funk <funk@joedog.org> Reply-To: Tomcat Users List <tomc@jakarta.apache.org> To: Tomcat Users List <tomc@jakarta.apache.org> Subject: Re: Authentication and Filters

Is there a chance (or worthwhile) that in Servlet API 2.5 a developer could check if an obtained RequestDispatcher would violate a security constraint in web.xml?

I assume you mean Servlet 2.4, right?

For example the following new method: RequestDispatcher.isAuthorized() Returns true if the RequestDispatcher's url passes the constraints defined in web.xml

This does not seem likely to me. Nor does it seem necessary. After all, your application has available everything it needs to know (through calls like request.getUserPrincipal() and request.isUserInRole()) to make this decision for itself. If the app chooses to forward, the container is going to assume that it knows what it is doing.

Now that you can declare a Filter to be imposed on RD calls in Servlet 2.4, that might be a good place to implement a check like this.

-Tim

Craig

-- To unsubscribe, e-mail: <mailto:tomc@jakarta.apache.org> For additional commands, e-mail: <mailto:tomc@jakarta.apache.org>