Hi! I'm trying to find the best way to implement passwordless user switching. In our application, a privileged user can "substitute" another one by selecting him from a list. The switch must be performed transparently without the substituted user's password and without asking the user to log in again. It's not a mere permission issue, he needs to become the substituted user.
We've been thinking about several ways to achieve this. The first idea was to change the Principal object stored in the request, but the CoyoteRequestFacade wrapper that Tomcat uses doesn't have a setUserPrincipal method. We are using Tomcat 5 and an own realm class that extends JDBCRealm to authenticate, and we've thought about a method to manage the user's substitution by changing some values into the db, but A) we will be very grateful to anyone who came up with a better solution and B) we don't know how to avoid the log in form to make the switch transparent to the user. We think that maybe a cookie is needed for this, but we would prefer to do without it. Thanks in advance. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
