Re: A question about java.security.acl

David Brownell (David.Brownell@Eng)
Wed, 28 May 1997 07:25:52 -0700

Date: Wed, 28 May 1997 07:25:52 -0700
From: David.Brownell@Eng (David Brownell)
Message-Id: <199705281425.HAA29865@argon.eng.sun.com>
To: java-security@web2.javasoft.com, tjc@test.au.tsinghua.edu.cn
Subject: Re: A question about java.security.acl

There are actually two answers here:

(1) In many situations, you should use the web server's administrative
tools to configure access control. That may use java.security.acl
internally, like the Java Web Server:

http://java.sun.com/products/java-server

(2) In some cases, your own web server extension (such as a servlet)
needs to provide its own policy, which is not directly under the
control of the web server administration. In that case:

(a) Get the authenticated identity of your client using
your web server's standard APIs, such as the
javax.servlet.http.HttpServletRequest.getUserName
method;

(b) Get the ACL you're using;

(c) Use the Acl.checkPermission method.

When using (1), you won't need to write any code.

To do (2) you would probably benefit from some tutorial information, which
isn't really available yet as far as I know. However, it should also be
possible to just use those ACL interfaces directly.

- Dave

> From tjc@test.au.tsinghua.edu.cn Tue May 27 22:41:08 1997
> Date: Wed, 01 Jan 1997 13:38:10 +0800
> From: "tjc@test.au.tsinghua.edu.cn" <tjc@test.au.tsinghua.edu.cn>
> To: java-security@web2.javasoft.com
> Subject: A question about java.security.acl
>
> I read the document about the java.security.acl ,but I don't know how to
> use my java program on my web server to realize access control.
> Please help me.Thank you!
>