Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question
- Original Message - From: Jeanfrancois Arcand [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, April 16, 2004 5:52 PM Subject: Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question Have you tried the privileged attribute in context.xml instead? I'm confident it will work for what you are trying to do. Yes, this worked. I also enabled the security manager. If I wanted to emulate the 'priveledged=true' functionality without exposing as much as 'priveledged=true does, could I do this? I want my app to be able to 'look' into server/lib, but only at what I tell it it can. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question
Rossen Raykov wrote: Probably you can define interface and use casting while you are accessing your Principle implementation. Frankly, I didnt try it but it seems like usable solution. There is another technique that is quarantined to work though. It is very simple and employs only Javas Reflection. Four days ago I send an e-mail to [EMAIL PROTECTED] explaining how Reflection may be used to extract users password from org.apache.catalina.realm.GenericPrincipal and so fare I didnt get any response. Probably this is not treated as security issue so let me make it public. Attached you will find my original e-mail to [EMAIL PROTECTED] explaining how this may be accomplished and how one can protect himself from such exposure. With the Security Manager turned on, this hack will not work. So there is no security issue here. Of course without SecurityManager, you can do whatever you want. -- Jeanfrancois Regards, Rossen Raykov -Original Message- From: John H [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 1:32 PM To: Tomcat Users List Subject: Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question Webapps can see GenericPrincipal only when I move catalina.jar to common/lib. That's the kicker. Catalina has supplied a nice generic principal that implements java.security.Principal in useful ways, but then prevents me from using it in my webapps (directly or through extensions). I must be missing the reasoning behind that. - Original Message - From: Benjamin Armintor [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 12:34 PM Subject: RE: Extending GenericPrincipal/RealmBase: Essentially a classloader question Can your webapps see GenericPrincipal? Looking at the JavaDocs for the Catalina api, it looks like the session faade your get app gets is going to have access to a java.security.Principal (likely also a faade), not a GenericPrincipal. Maybe instead of extending a class in the server/Catalina classloader, you could implement another subclass of java.security.Principal, and have that class loaded in the common classloader. Benjamin J. Armintor Systems Analyst ITS-Systems: Mainframe Group University of Texas - Austin tele: (512) 232-6562 email: [EMAIL PROTECTED] -Original Message- From: John H [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:25 AM To: Tomcat Users List Subject: Extending GenericPrincipal/RealmBase: Essentially a classloader question HI all, He have implemented our own realm and principal buy extending org.apache.catalina.realm.RealmBase and GenericPrincipal. (Using TC5.0.19 on Solaris and Windows. Realm defined in Context.) By doing this, however, we've got ourselves into sort of a catch 22 in terms of classloading. Hopefully someone can offer some assistance. I've referenced the Class Loader HOW-TO at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/class-loader-h owto.html, so I'll use it's terminology. RealmBase and GenericPrincipal are located in catalina.jar, which resides physically in server/lib. The howo defines this jar as in the Catalina class loader. The definition says that the Catalina classes are totally invisible to web applications, which seems true enough. In order to extend these, I must locate my jar in server/lib. So far so good. The problem is that I need to use my extension of GenericPrincipal within my webapps. I tried moving my jar to common/lib, since, according to the parent tree in the howto, it is visible to both the Catalina branch and the webapp branch. Doing this causes a NoClassDefFoundError for GenericPrincipal. Apparently since the Catalina classloader is below the common classloader, it can't find GenericPrincipal. The only solution that appears to work is moving the entire contents of server/lib to common/lib, essentially 'promoting' all of the classes normally in the Catalina class loader to the common class loader. Is this the best solution? It seems to me that I should be able to extend RealmBase/GenericPrincipal without having to move jars around. Any ideas? John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Subject: Principal's password exposure From: Rossen Raykov [EMAIL PROTECTED] Date: Sun, 11 Apr 2004 23:31:07 -0400 To: [EMAIL PROTECTED] Tomcat's implementation of java.security.Principal org.apache.catalina.realm.GenericPrincipal is exposing user's password to the applications. Class info: GenericPrincipal is having method declared as: code public String getPassword() /code which returns principal's password. This method is used by the various
Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question
Thanks for the replies. I've tried some of the suggestions, and I guess I've hit a wall again. From what I'm seeing, in order extend RealmBase/GenericPrincipal, your class MUST exist in server/lib (given the default configuration). I see no other way, unless I'm missing something. RealmBase is in catalina.jar, which is in server/lib and is in the catalina classloader. In order for a class to extend this, it too must be in the catalina classloader. I tried this modification to catalina.properties: common.loader=${catalina.base}/common/classes,${catalina.base}/common/endors ed/*.jar, ${catalina.base}/common/lib/*.jar,${catalina.base}/server/classes,${catalina .base}/server/lib/*.jar (note my extension classes are in bbarealm.jar, which is in server/lib) Withouth making any more changes (other than moving tomcat's jar's back to their original locations), this worked. This seems exactly like moving all the files from server/lib (including my bbarealm.jar) to common/lib, though. Then I tried this: I moved my bbarealm.jar to shared/lib (making it visible to the apps), changed the common loader back to it's original form, and added ${catalina.home}/shared/lib/bbarealm.jar to the sever.loader line. This results in a NCDF for org.apache.catalina.realm.RealmBase *pulls hair* I'm not sure how catalina.policies is going to help me. This isn't an priviledges issue. It's a classloader issue. The only classloader that seems to allow me to extend RealmBase/GenericPrincipal is the catalina classloader, and can't see a way to add a class to this classloader (other than sticking it in server/lib, which makes it invisible to my apps!). There is no 'catalina.loader' line in catalina.properties. *sigh* Any thoughts? - Original Message - From: Jeanfrancois Arcand [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 2:55 PM Subject: Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question John H wrote: HI all, He have implemented our own realm and principal buy extending org.apache.catalina.realm.RealmBase and GenericPrincipal. (Using TC5.0.19 on Solaris and Windows. Realm defined in Context.) By doing this, however, we've got ourselves into sort of a catch 22 in terms of classloading. Hopefully someone can offer some assistance. I've referenced the Class Loader HOW-TO at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/class-loader-howto.html, so I'll use it's terminology. RealmBase and GenericPrincipal are located in catalina.jar, which resides physically in server/lib. The howo defines this jar as in the Catalina class loader. The definition says that the Catalina classes are totally invisible to web applications, which seems true enough. In order to extend these, I must locate my jar in server/lib. So far so good. The problem is that I need to use my extension of GenericPrincipal within my webapps. I tried moving my jar to common/lib, since, according to the parent tree in the howto, it is visible to both the Catalina branch and the webapp branch. Doing this causes a NoClassDefFoundError for GenericPrincipal. Apparently since the Catalina classloader is below the common classloader, it can't find GenericPrincipal. The only solution that appears to work is moving the entire contents of server/lib to common/lib, essentially 'promoting' all of the classes normally in the Catalina class loader to the common class loader. Is this the best solution? It seems to me that I should be able to extend RealmBase/GenericPrincipal without having to move jars around. Any ideas? One way will be to define, in your context.xml, the attribute privileged=true. This will give the web app access to all the server/lib classes (but that's not secure since your web app can play with the catalina internal). If you can turn the SecurityManager on, then what you can do after is turning it on (this will protected all catalina classes from package definition/insertionsee catalina.properties for the list of protection), you can then add your web app codebase in the catalina.policy so only your web app will be able to use the catalina.jar. I don't see any other way to achieve what you want to do. -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question
John H wrote: Thanks for the replies. I've tried some of the suggestions, and I guess I've hit a wall again. From what I'm seeing, in order extend RealmBase/GenericPrincipal, your class MUST exist in server/lib (given the default configuration). I see no other way, unless I'm missing something. RealmBase is in catalina.jar, which is in server/lib and is in the catalina classloader. In order for a class to extend this, it too must be in the catalina classloader. I tried this modification to catalina.properties: common.loader=${catalina.base}/common/classes,${catalina.base}/common/endors ed/*.jar, ${catalina.base}/common/lib/*.jar,${catalina.base}/server/classes,${catalina .base}/server/lib/*.jar (note my extension classes are in bbarealm.jar, which is in server/lib) Withouth making any more changes (other than moving tomcat's jar's back to their original locations), this worked. This seems exactly like moving all the files from server/lib (including my bbarealm.jar) to common/lib, though. Then I tried this: I moved my bbarealm.jar to shared/lib (making it visible to the apps), changed the common loader back to it's original form, and added ${catalina.home}/shared/lib/bbarealm.jar to the sever.loader line. This results in a NCDF for org.apache.catalina.realm.RealmBase StrangeLet me investigate :-) Have you tried the privileged attribute in context.xml instead? I'm confident it will work for what you are trying to do. *pulls hair* I'm not sure how catalina.policies is going to help me. This isn't an priviledges issue. It's a classloader issue. The only classloader that seems to allow me to extend RealmBase/GenericPrincipal is the catalina classloader, and can't see a way to add a class to this classloader (other than sticking it in server/lib, which makes it invisible to my apps!). There is no 'catalina.loader' line in catalina.properties. Yes, but if all the web app you are deploying needs to have the privileged attribute, then you might want to turn on the SecurityManager. -- Jeanfrancois *sigh* Any thoughts? - Original Message - From: Jeanfrancois Arcand [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 2:55 PM Subject: Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question John H wrote: HI all, He have implemented our own realm and principal buy extending org.apache.catalina.realm.RealmBase and GenericPrincipal. (Using TC5.0.19 on Solaris and Windows. Realm defined in Context.) By doing this, however, we've got ourselves into sort of a catch 22 in terms of classloading. Hopefully someone can offer some assistance. I've referenced the Class Loader HOW-TO at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/class-loader-howto.html, so I'll use it's terminology. RealmBase and GenericPrincipal are located in catalina.jar, which resides physically in server/lib. The howo defines this jar as in the Catalina class loader. The definition says that the Catalina classes are totally invisible to web applications, which seems true enough. In order to extend these, I must locate my jar in server/lib. So far so good. The problem is that I need to use my extension of GenericPrincipal within my webapps. I tried moving my jar to common/lib, since, according to the parent tree in the howto, it is visible to both the Catalina branch and the webapp branch. Doing this causes a NoClassDefFoundError for GenericPrincipal. Apparently since the Catalina classloader is below the common classloader, it can't find GenericPrincipal. The only solution that appears to work is moving the entire contents of server/lib to common/lib, essentially 'promoting' all of the classes normally in the Catalina class loader to the common class loader. Is this the best solution? It seems to me that I should be able to extend RealmBase/GenericPrincipal without having to move jars around. Any ideas? One way will be to define, in your context.xml, the attribute privileged=true. This will give the web app access to all the server/lib classes (but that's not secure since your web app can play with the catalina internal). If you can turn the SecurityManager on, then what you can do after is turning it on (this will protected all catalina classes from package definition/insertionsee catalina.properties for the list of protection), you can then add your web app codebase in the catalina.policy so only your web app will be able to use the catalina.jar. I don't see any other way to achieve what you want to do. -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending GenericPrincipal/RealmBase: Essentially a classloader question
Can your webapps see GenericPrincipal? Looking at the JavaDocs for the Catalina api, it looks like the session façade your get app gets is going to have access to a java.security.Principal (likely also a façade), not a GenericPrincipal. Maybe instead of extending a class in the server/Catalina classloader, you could implement another subclass of java.security.Principal, and have that class loaded in the common classloader. Benjamin J. Armintor Systems Analyst ITS-Systems: Mainframe Group University of Texas - Austin tele: (512) 232-6562 email: [EMAIL PROTECTED] -Original Message- From: John H [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:25 AM To: Tomcat Users List Subject: Extending GenericPrincipal/RealmBase: Essentially a classloader question HI all, He have implemented our own realm and principal buy extending org.apache.catalina.realm.RealmBase and GenericPrincipal. (Using TC5.0.19 on Solaris and Windows. Realm defined in Context.) By doing this, however, we've got ourselves into sort of a catch 22 in terms of classloading. Hopefully someone can offer some assistance. I've referenced the Class Loader HOW-TO at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/class-loader-howto.html, so I'll use it's terminology. RealmBase and GenericPrincipal are located in catalina.jar, which resides physically in server/lib. The howo defines this jar as in the Catalina class loader. The definition says that the Catalina classes are totally invisible to web applications, which seems true enough. In order to extend these, I must locate my jar in server/lib. So far so good. The problem is that I need to use my extension of GenericPrincipal within my webapps. I tried moving my jar to common/lib, since, according to the parent tree in the howto, it is visible to both the Catalina branch and the webapp branch. Doing this causes a NoClassDefFoundError for GenericPrincipal. Apparently since the Catalina classloader is below the common classloader, it can't find GenericPrincipal. The only solution that appears to work is moving the entire contents of server/lib to common/lib, essentially 'promoting' all of the classes normally in the Catalina class loader to the common class loader. Is this the best solution? It seems to me that I should be able to extend RealmBase/GenericPrincipal without having to move jars around. Any ideas? John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question
Webapps can see GenericPrincipal only when I move catalina.jar to common/lib. That's the kicker. Catalina has supplied a nice generic principal that implements java.security.Principal in useful ways, but then prevents me from using it in my webapps (directly or through extensions). I must be missing the reasoning behind that. - Original Message - From: Benjamin Armintor [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 12:34 PM Subject: RE: Extending GenericPrincipal/RealmBase: Essentially a classloader question Can your webapps see GenericPrincipal? Looking at the JavaDocs for the Catalina api, it looks like the session façade your get app gets is going to have access to a java.security.Principal (likely also a façade), not a GenericPrincipal. Maybe instead of extending a class in the server/Catalina classloader, you could implement another subclass of java.security.Principal, and have that class loaded in the common classloader. Benjamin J. Armintor Systems Analyst ITS-Systems: Mainframe Group University of Texas - Austin tele: (512) 232-6562 email: [EMAIL PROTECTED] -Original Message- From: John H [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:25 AM To: Tomcat Users List Subject: Extending GenericPrincipal/RealmBase: Essentially a classloader question HI all, He have implemented our own realm and principal buy extending org.apache.catalina.realm.RealmBase and GenericPrincipal. (Using TC5.0.19 on Solaris and Windows. Realm defined in Context.) By doing this, however, we've got ourselves into sort of a catch 22 in terms of classloading. Hopefully someone can offer some assistance. I've referenced the Class Loader HOW-TO at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/class-loader-howto.html, so I'll use it's terminology. RealmBase and GenericPrincipal are located in catalina.jar, which resides physically in server/lib. The howo defines this jar as in the Catalina class loader. The definition says that the Catalina classes are totally invisible to web applications, which seems true enough. In order to extend these, I must locate my jar in server/lib. So far so good. The problem is that I need to use my extension of GenericPrincipal within my webapps. I tried moving my jar to common/lib, since, according to the parent tree in the howto, it is visible to both the Catalina branch and the webapp branch. Doing this causes a NoClassDefFoundError for GenericPrincipal. Apparently since the Catalina classloader is below the common classloader, it can't find GenericPrincipal. The only solution that appears to work is moving the entire contents of server/lib to common/lib, essentially 'promoting' all of the classes normally in the Catalina class loader to the common class loader. Is this the best solution? It seems to me that I should be able to extend RealmBase/GenericPrincipal without having to move jars around. Any ideas? John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question
John H wrote: HI all, He have implemented our own realm and principal buy extending org.apache.catalina.realm.RealmBase and GenericPrincipal. (Using TC5.0.19 on Solaris and Windows. Realm defined in Context.) By doing this, however, we've got ourselves into sort of a catch 22 in terms of classloading. Hopefully someone can offer some assistance. I've referenced the Class Loader HOW-TO at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/class-loader-howto.html, so I'll use it's terminology. RealmBase and GenericPrincipal are located in catalina.jar, which resides physically in server/lib. The howo defines this jar as in the Catalina class loader. The definition says that the Catalina classes are totally invisible to web applications, which seems true enough. In order to extend these, I must locate my jar in server/lib. So far so good. The problem is that I need to use my extension of GenericPrincipal within my webapps. I tried moving my jar to common/lib, since, according to the parent tree in the howto, it is visible to both the Catalina branch and the webapp branch. Doing this causes a NoClassDefFoundError for GenericPrincipal. Apparently since the Catalina classloader is below the common classloader, it can't find GenericPrincipal. The only solution that appears to work is moving the entire contents of server/lib to common/lib, essentially 'promoting' all of the classes normally in the Catalina class loader to the common class loader. Is this the best solution? It seems to me that I should be able to extend RealmBase/GenericPrincipal without having to move jars around. Any ideas? One way will be to define, in your context.xml, the attribute privileged=true. This will give the web app access to all the server/lib classes (but that's not secure since your web app can play with the catalina internal). If you can turn the SecurityManager on, then what you can do after is turning it on (this will protected all catalina classes from package definition/insertionsee catalina.properties for the list of protection), you can then add your web app codebase in the catalina.policy so only your web app will be able to use the catalina.jar. I don't see any other way to achieve what you want to do. -- Jeanfrancois John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending GenericPrincipal/RealmBase: Essentially a classloader question
Probably you can define interface and use casting while you are accessing your Principle implementation. Frankly, I didnt try it but it seems like usable solution. There is another technique that is quarantined to work though. It is very simple and employs only Javas Reflection. Four days ago I send an e-mail to [EMAIL PROTECTED] explaining how Reflection may be used to extract users password from org.apache.catalina.realm.GenericPrincipal and so fare I didnt get any response. Probably this is not treated as security issue so let me make it public. Attached you will find my original e-mail to [EMAIL PROTECTED] explaining how this may be accomplished and how one can protect himself from such exposure. Regards, Rossen Raykov -Original Message- From: John H [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 1:32 PM To: Tomcat Users List Subject: Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question Webapps can see GenericPrincipal only when I move catalina.jar to common/lib. That's the kicker. Catalina has supplied a nice generic principal that implements java.security.Principal in useful ways, but then prevents me from using it in my webapps (directly or through extensions). I must be missing the reasoning behind that. - Original Message - From: Benjamin Armintor [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 12:34 PM Subject: RE: Extending GenericPrincipal/RealmBase: Essentially a classloader question Can your webapps see GenericPrincipal? Looking at the JavaDocs for the Catalina api, it looks like the session façade your get app gets is going to have access to a java.security.Principal (likely also a façade), not a GenericPrincipal. Maybe instead of extending a class in the server/Catalina classloader, you could implement another subclass of java.security.Principal, and have that class loaded in the common classloader. Benjamin J. Armintor Systems Analyst ITS-Systems: Mainframe Group University of Texas - Austin tele: (512) 232-6562 email: [EMAIL PROTECTED] -Original Message- From: John H [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:25 AM To: Tomcat Users List Subject: Extending GenericPrincipal/RealmBase: Essentially a classloader question HI all, He have implemented our own realm and principal buy extending org.apache.catalina.realm.RealmBase and GenericPrincipal. (Using TC5.0.19 on Solaris and Windows. Realm defined in Context.) By doing this, however, we've got ourselves into sort of a catch 22 in terms of classloading. Hopefully someone can offer some assistance. I've referenced the Class Loader HOW-TO at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/class-loader-h owto.html, so I'll use it's terminology. RealmBase and GenericPrincipal are located in catalina.jar, which resides physically in server/lib. The howo defines this jar as in the Catalina class loader. The definition says that the Catalina classes are totally invisible to web applications, which seems true enough. In order to extend these, I must locate my jar in server/lib. So far so good. The problem is that I need to use my extension of GenericPrincipal within my webapps. I tried moving my jar to common/lib, since, according to the parent tree in the howto, it is visible to both the Catalina branch and the webapp branch. Doing this causes a NoClassDefFoundError for GenericPrincipal. Apparently since the Catalina classloader is below the common classloader, it can't find GenericPrincipal. The only solution that appears to work is moving the entire contents of server/lib to common/lib, essentially 'promoting' all of the classes normally in the Catalina class loader to the common class loader. Is this the best solution? It seems to me that I should be able to extend RealmBase/GenericPrincipal without having to move jars around. Any ideas? John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---BeginMessage--- Title: Principal's password exposure Tomcat's implementation of java.security.Principal org.apache.catalina.realm.GenericPrincipal is exposing user's password to the applications. Class info: GenericPrincipal is having method declared as: code public String getPassword() /code which returns principal's password. This method is used by the various realm implementations in the same package. Problem description: Although GenericPrincipal is instantiated by a different class loader an application may use Java's reflection to obtain principal's password. This problem exists in both 4.x and 5.x implementations
RE: Extending GenericPrincipal/RealmBase: Essentially a classloader question
To be fair, the reflection API makes it difficult to hide much of anything- even if the accessor methods aren't public. If you're really security conscious, and can't vette all the code in your app server, you should be running with the security manager on. This allows you to prohibit both reflection and access to other classloaders. -Original Message- From: Rossen Raykov [mailto:[EMAIL PROTECTED] Sent: Thu 4/15/2004 9:50 PM To: 'Tomcat Users List' Cc: Subject:RE: Extending GenericPrincipal/RealmBase: Essentially a classloader question Probably you can define interface and use casting while you are accessing your Principle implementation. Frankly, I didnt try it but it seems like usable solution. There is another technique that is quarantined to work though. It is very simple and employs only Javas Reflection. Four days ago I send an e-mail to [EMAIL PROTECTED] explaining how Reflection may be used to extract users password from org.apache.catalina.realm.GenericPrincipal and so fare I didnt get any response. Probably this is not treated as security issue so let me make it public. Attached you will find my original e-mail to [EMAIL PROTECTED] explaining how this may be accomplished and how one can protect himself from such exposure. Regards, Rossen Raykov -Original Message- From: John H [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 1:32 PM To: Tomcat Users List Subject: Re: Extending GenericPrincipal/RealmBase: Essentially a classloader question Webapps can see GenericPrincipal only when I move catalina.jar to common/lib. That's the kicker. Catalina has supplied a nice generic principal that implements java.security.Principal in useful ways, but then prevents me from using it in my webapps (directly or through extensions). I must be missing the reasoning behind that. - Original Message - From: Benjamin Armintor [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 12:34 PM Subject: RE: Extending GenericPrincipal/RealmBase: Essentially a classloader question Can your webapps see GenericPrincipal? Looking at the JavaDocs for the Catalina api, it looks like the session faade your get app gets is going to have access to a java.security.Principal (likely also a faade), not a GenericPrincipal. Maybe instead of extending a class in the server/Catalina classloader, you could implement another subclass of java.security.Principal, and have that class loaded in the common classloader. Benjamin J. Armintor Systems Analyst ITS-Systems: Mainframe Group University of Texas - Austin tele: (512) 232-6562 email: [EMAIL PROTECTED] -Original Message- From: John H [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:25 AM To: Tomcat Users List Subject: Extending GenericPrincipal/RealmBase: Essentially a classloader question HI all, He have implemented our own realm and principal buy extending org.apache.catalina.realm.RealmBase and GenericPrincipal. (Using TC5.0.19 on Solaris and Windows. Realm defined in Context.) By doing this, however, we've got ourselves into sort of a catch 22 in terms of classloading. Hopefully someone can offer some assistance. I've referenced the Class Loader HOW-TO at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/class-loader-h owto.html, so I'll use it's terminology. RealmBase and GenericPrincipal are located in catalina.jar, which resides physically in server/lib. The howo defines this jar as in the Catalina class loader. The definition says that the Catalina classes are totally invisible to web applications, which seems true enough. In order to extend these, I must locate my jar in server/lib. So far so good. The problem is that I need to use my extension of GenericPrincipal within my webapps. I tried moving my jar to common/lib, since, according to the parent tree in the howto, it is visible to both the Catalina branch and the webapp branch. Doing this causes a NoClassDefFoundError for GenericPrincipal. Apparently since the Catalina classloader is below the common classloader, it can't find GenericPrincipal. The only solution that appears to work is moving the entire contents of server/lib to common/lib, essentially 'promoting' all of the classes normally in the Catalina class loader to the common class loader. Is this the best solution? It seems to me that I should be able to extend RealmBase/GenericPrincipal without having to move jars around. Any ideas? John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe