Jeanfrancois Arcand wrote:
>>Hi, >> >>I'm close to get JAAS realm and the memory LoginModule working - if I >>remember correctly we agreed to make JAAS the default for 5.0 ( I don't >>remember any objections ). >> > What about authorization :-) Righ now, the Realm implementation includes > the 3 authorization methods: > > - hasRole > - hasUserDataPermission > - hasResourcePermission > > Those methods are currently implemented in RealmBase. Are you moving > them also? I don't think so. Those are specific to tomcat - not to JAAS. My thinking was to have generic, common-like stuff that can be used with any app using JAAS. One of the requirements will be to return the Principals associated with the Subject in a certain way - i.e. in a Group named "Roles". Or some other pattern we can support. hasRole can be implemented on top of this, the other 2 are a different story. >>If a Principal of type "java.security.acl.Group" is found - named "Roles" >>- we'll treat all the Principlas in that Group as roles. ( the old >>mechanism should still be supported, of course ) >> > +1 We will have to document this new feature. I see lot of question on > tomcat-user..... Actually - another idea would be to return a Group ( which extends Principal) from getUserPrincipal(). The name of the group will be the same as the primary identity ( the username ), so all code will get the same behavior as today ( when we return the GenericPrincipal - but nobody can call the methods since it can't cast ). Since it is a group and it can be cast, users will also be able to get info about the roles. Costin --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]