Setting Security in Jakarta Tomcat 4.1.18

Hello,

I am trying to manipulate a web site by having the Tomcat users file control who gets to see certain pages on the site depending on their role. This is just for a pilot so the users are just being recorded right in the file.

I am implementing a controller/command pattern where each command class forwards the user to the appropriate page.

If a users types in a url for the page, they are presented a login dialog. If a user tries to access a page from the menu, and is forward to the page via the Controller servlet, they are able to bypass security. The URLs embedded into the pages are "./controller?cmd=ViewDetails". Otherwise there is a servlet mapping that each command class returns the to controller in the format of /viewDetails.

Here is the xml.
<?xml version="1.0" encoding="utf-8"?> <tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <role rolename="Player"/> <role rolename="Staff"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="role1" password="tomcat" roles="role1"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="123" password="password" roles="Player"/> <user username="125" password="password" roles="Player"/> <user username="127" password="password" roles="Player"/> <user username="129" password="password" roles="Player"/> <user username="111" password="password" roles="Player"/> <user username="Team3Staff" password="password" roles="Staff, tomcat" /> </tomcat-users>

Any ideas on how to still user the controller servlet to forward users to various pages while still being able to lockdown individual pages?

Thanks for the help!

br

This is the big gotcha with container-managed AUTH and URL mappings. ie: The only way to accomplish differentiated, container-managed AUTH is through setting up different URL mappings.

so your command and control servlet (which is known through a single mapping) is . You're looking at programmatic security. With this angle, you need to authenticate on /*, and then use request.isUserInRole("") in your c+c servlet.

What you might consider though, is providing *multiple* mappings for the control servlet. I know this is really "not the point", but it *would* allow the container AUTH to distinguish (since it can't distinguish something in the query string).

so you'd have in your web.xml:
<servlet> <servlet-name>controller</servlet-name> <servlet-class>your.package.Foo</servlet-class> </servlet> <servlet-mapping> <servlet-name>controller</servlet-name> <url-pattern>/VIEWdetails</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>controller</servlet-name> <url-pattern>/EDITdetails</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>controller</servlet-name> <url-pattern>/DELETEdetails</url-pattern> </servlet-mapping> etc...

Or was that not what you were asking?