1

I am very new to web-app development and its security and trying to understand things around.

Everywhere I look for implementing security in my webapp they ask to use declarative security. For example in tomcat I can declare the roles in the tomcat-user.xml file like the following one.

<tomcat-users>
<user name="tomcat" password="s3cret" roles="manager-gui" />
</tomcat-users>

This part I can understand.

Now suppose I have added some of these roles in my web-app. Now a user of my web-app makes a request to some resource in my web-app. I want to know How do the container or I would know that with which role the user has made the request?

Thank you.

me_digvijay
  • 5,374
  • 9
  • 46
  • 83

1 Answers1

1

Using Tomcat and JSP:

A DataSourceRealm can point to a database containing User and User Role tables, but using UserDatabaseRealm (points to tomcat-users.xml) works fine as well.

If you want to protect all jsp pages in a specific folder, add this to your web.xml

<security-constraint>
<web-resource-collection>
  <web-resource-name>Folder Description</web-resource-name>
  <url-pattern>/foldername/*</url-pattern>
</web-resource-collection>
<auth-constraint>
  <role-name>ROLE_ADMIN</role-name>
</auth-constraint>
</security-constraint>

If you want to know if a User has a specific role upon entering a page, you can use

boolean hasAdminRole = request.isUserInRole("ROLE_ADMIN");
Michael Sanchez
  • 1,215
  • 1
  • 11
  • 19