We have the same requirements, and to agree with Craig, we use the
request.getUserPrincipal()!=null to assert they are
authenticated, and we also use the request.getUserPrincipal().getName() to
get the User Id (or key) so we can use this
in our application.
In addition we've built a variant of the JDBC realm that allows an
additional encryption class to be specified, it will
use this class to encrypt the password before validating it with the
database. (We decided not to add this to RealmBase, but
I'm sure could if you wanted).
Example
Realm className = org.jaffa.tomcat.realm.JDBCEncryptionRealm
debug = 99
driverName = oracle.jdbc.driver.OracleDriver
connectionURL =
jdbc:oracle:thin:@host.domain.com:1521:dbname
connectionName = dummyuser
connectionPassword = dummypass
userTable = use1
userNameCol= userid
userCredCol= password1
userRoleTable = usrl
roleNameCol= role_name
encryptionClass=
com.domain.applications.user.services.Encryption
encryptionMethod = customEncrypt
/
It also has some other nice features
It is being released as part of the http://jaffa.sf.net project, but it you
want an advanced copy of the source, class, jar ,docs etc let me know
BTW: If I have webapp1 deployed on tomcat 4.0x on Linux, and another webapp2
on Tomcat on a W2K box, is there any way to implement single sign on across
the two?
Paul Extance
[EMAIL PROTECTED]
-Original Message-
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 31, 2002 9:39 AM
To: Tomcat Users List
Subject: Re: share session between webapps
On Wed, 31 Jul 2002, Michael Remijan wrote:
Date: Wed, 31 Jul 2002 08:34:34 -0500
From: Michael Remijan [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: share session between webapps
...
Is there technique to share a session, or objects within the session
between web applications?
No. And it wouldn't work even if there was such a mechanism, because each
webapp has its own class loader -- the classes in webapp A's /WEB-INF
directory are not visible to webapp B (and vice versa).
What I want to do is login or register at a
site and if the user moves to a different webapp, I want to be able to
determine, by looking for an object in the user's session, that they are
already logged in.
Using realms and single sign on doesn't appear to do what I want
because it A) doesn't allow me to get me the primary key for the user,
What's wrong with calling request.getRemoteUser() or
request.getUserPrincipal().
B) doesn't allow me to write any special processing code, specifically
to md5 encrypt the password before performing the query.
IMHO, if you are using container managed security you have absolutely no
business messing with passwords. Either let the container manage all of
that or do it yourself.
C) most
importantly, it doesn't seem to allow me to carry information accross
webapps.
This is true for *all* information, not just for security credentials. If
you want to share information across webapps, the standard approaches are:
* Store it externally in a database, EJB, etc. that is accessed
from each webapp
* (Container-specific, so no portability guarantees) store it in
a static variable of a class that is loaded from a parent class
loader of the webapp class loaders. For Tomcat 4, that means
putting the class in someplace like common/lib.
mike/
Craig
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
