Craig After a long delay, I'm looking at your proposed functional spec for the Tomcat 4 JNDI Realm, and am having trouble with this excerpt from the "Adminstrator Login Mode Functionality" section:
> The following approaches should be supported [ for retrieving the roles associated with an authenticated user ] > > Retrieve a specified attribute (possibly multi-valued) from an LDAP search expression, with a replacement placeholder > for the DN or username of the user.[Current] > > Retrieve a set of role names that are defined implicitly (by selecting principals that match a search pattern) rather > than explicitly (by finding a particular attribute value). [Requested] The existing code certainly implements the first approach, which I assume could be rephrased as Retrieve the values of a specified attribute from all directory entries matching an LDAP search filter expression. The search expression is constructed by substituting the user's DN and/or username into a string pattern specified as the roleSearch configuration property. However I guess I don't understand what you mean by the second approach. Do you have a specific example? I would have thought that the current approach covers all use cases (although admittedly the implementation may not be optimal for the special case in which role names are held explicitly as the values of an attribute in the user's directory entry). Cheers, John. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>