Add new attachment

Only authorized users are allowed to upload new attachments.

This page (revision-93) was last changed on 06-Aug-2010 19:51 by 198.179.147.6  

This page was created on 17-Jul-2003 19:56 by Ebu

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 141 changed one line
* Hmm, let me try to explain things ;) If you secure your application according to the above link you get both Authentication and data needed for Authorization for the current user from the container (basic J2EE Servlet stuff). Then you can ask from the servlet container if the user has the specified role by using the [HttpServletRequest.isUserInRole|http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)] and thus allow access if the user has the required role,as defined with the ALLOW method above, or disallow access in the case of DENY. IMHO the application doesn't have to know anything about where the login-user-name or his/hers role/group information came from. The only problem with CMS is that you need to use tools specific to the container/server to setup users,passwords and group information. Which isn't a problem if you just choose your backend carefully enough (e.g. database with simple schema or use LDAP). There's also [securityfilter|http://securityfilter.sourceforge.net/] project which tries to mimic container manager security. I don't know if it's any use but the site contains some information and discussion about J2EE/JSP/Servlet security related stuff. --jjarkko
* Hmm, let me try to explain things ;) If you secure your application according to the above link you get both Authentication and data needed for Authorization for the current user from the container (basic J2EE Servlet stuff). Then you can ask from the servlet container if the user has the specified role by using the [HttpServletRequest.isUserInRole|http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)] and thus allow access if the user has the required role,as defined with the ALLOW method above, or disallow access in the case of DENY. Name of the authenticated user is available from [request.getUserPrincipal|http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()]. IMHO the application doesn't have to know anything about where the login-user-name or his/hers role/group information came from. The only problem with CMS is that you need to use tools specific to the container/server to setup users,passwords and group information. Which isn't a problem if you just choose your backend carefully enough (e.g. database with simple schema or use LDAP). There's also [securityfilter|http://securityfilter.sourceforge.net/] project which tries to mimic container manager security. I don't know if it's any use but the site contains some information and discussion about J2EE/JSP/Servlet security related stuff. --jjarkko
Version Date Modified Size Author Changes ... Change note
93 06-Aug-2010 19:51 0.804 kB 198.179.147.6 to previous
92 12-Oct-2007 06:41 1.496 kB JanneJalkanen to previous | to last
91 11-Oct-2007 23:45 1.513 kB 87.101.244.9 to previous | to last
90 26-Sep-2007 23:40 1.496 kB JanneJalkanen to previous | to last
89 26-Sep-2007 02:46 1.527 kB 60.190.243.173 to previous | to last
88 26-Sep-2007 02:45 1.518 kB 218.58.136.4 to previous | to last
87 25-Sep-2007 23:36 1.505 kB 209.99.227.70 to previous | to last
86 30-Aug-2007 03:06 1.496 kB 203.13.128.101 to previous | to last
85 05-Aug-2006 12:06 1.105 kB Janne Jalkanen to previous | to last
84 02-Aug-2006 17:25 0.938 kB Martin Hache to previous | to last
83 11-Jul-2006 17:12 0.257 kB 146.82.111.234 to previous | to last
82 11-Jul-2006 16:31 0.057 kB 193.134.170.35 to previous | to last
81 11-Jul-2006 16:30 0.052 kB 193.134.170.35 to previous | to last
« This page (revision-93) was last changed on 06-Aug-2010 19:51 by 198.179.147.6