Hector Gonzalez wrote:
> Hi Craig,
>
> Thanks a lot for the answer. I have a few follow up questions though.
>
> > >
> > > 1. Modify the realm programatically, that is add users, remove users,
> add
> > > roles, etc.
> >
> > This one is easy ... simply update the database. For example, adding a
> new row
> > in the users table makes that user instantly able to log in.
>
> Sun defines methods like addUser and addRole to the Realm class they
> implement for the J2EE petstore application. I though that the Tomcat Realm
> class was similar to that one but looking at the source code I can see that
> those methods do not exist. They do exist in the SimpleRealm sample file.
>
I didn't make myself very clear here ... let me try again.
The JDBCRealm class in Tomcat reads the database every time to decide whether a
user is valid or not, and what their roles are. But the JDBCRealm class does
*not* provide any mechanisms to modify the contents of the realm -- the
assumption is that you will be doing that by external means.
Thus, you will need to write an application to add users directly to the
database. As long as your application updates the same database tables and
columns that the JDBCRealm is looking at, those changes will be instantly
available to Tomcat. Because you can do this, there is no need to provide any
APIs *inside* of Tomcat to modify users. (And, you would not be able to access
them anyway from a servlet.)
>
> >
> > You can do these updates either through a web-based administration
> application
> > that you might right, or through external applications or SQL scripts.
> >
> > >
> > > 2. Tell tomcat that user x should be logged into the application. I
> would
> > > like to automatically log some users based on a cookie.
> > >
> >
> > This one is not easy ... you would need to modify Tomcat to make it
> possible.
> >
>
> I was looking into the source code and the file SecurityTools checks for
> user and password reading two attributes from the session: j_username and
> j_password. The comments in the source code say:
> "It is possible for a servlet to set the attibutes and bypass the security
> checking - but that's ok, since everything happens inside a web application
> and all servlets are in the same domain". I have not tried it yet though.
>
Those aren't my comments, so I can't vouch for them.
You can certainly do this kind of stuff with a RequestInterceptor (Tomcat 3.x)
or Valve (Tomcat 4.x). But you cannot do it from a servlet -- thus, this
counts as "modifying Tomcat" in my book. That's fine, if that is what you want
to do, but your changes will be specific to Tomcat, and not portable to other
containers.
>
> Regards
> Hector
Craig
