Hi All, The company I work for is attempting to move from JRun 3/4 to Tomcat 5.0.19. So far it has been smooth sailing, and the migration is going better than expected.
However, before the migration we were about to deploy a JAAS framework on JRun 4. This framework doesn't seem to work at all well in Tomcat 5. I've implemented a tailored JAAS framework with various types of Principals that grant certain (custom) Permissions in my own Policy. To enforce this onto the webapp, I used a Filter to establish a LoginContext and then "wrap" the servlet in a Subject.doAsPrivileged call. To clarify: I'm not looking for authentication through JAAS (I've imlemented this in a minimal way), but I'm looking to JAAS for some more elaborate authorization tricks. In my doFilter (simplified): LoginContext lc = new LoginContext("MyJaas", new MyHttpAuthCallbackHandler(request)); lc.login(); Subject.doAsPrivileged(lc.getSubject(),new FilteredAction(request,response,chain) , null); where FilteredAction is an inner class: ----------------------------------------------------------- class FilteredAction implements PrivilegedAction { ServletRequest faRequest; ServletResponse faResponse; FilterChain faChain; public FilteredAction(ServletRequest request, ServletResponse response, FilterChain chain) { this.faRequest=request; this.faResponse=response; this.faChain=chain; } public Object run() { try { faChain.doFilter(faRequest, faResponse); } catch (Exception e) { e.printStackTrace(); } return null; } } ----------------------------------------------------------- I replace the default Policy with my own policy that adds permissions based on principals assigned in the LoginContext. This is done in the Filter's init: ----------------------------------------------------------- public void init(FilterConfig config) throws ServletException { Policy orgPolicy = Policy.getPolicy(); if (orgPolicy instanceof MyPolicy) { // we already did this once upon a time.. } else { Policy.setPolicy(new MyPolicy(orgPolicy)); } } ----------------------------------------------------------- This works like a charm on JRun (it's a "textbook" example on the web). However, it fails miserably on Tomcat 5. It looks like the Filter is being evaluated in a different security context by Tomcat than the Servlet itself (based on evaluation of stacktraces generated in my custom Policy class). Therefore, none of the Principals assigned to the Subject in the Filter are available in the Servlet (when MyPolicy.getPermissions() is called). Does anyone have an idea how I should go about getting (something like) this to work on Tomcat? Any help would very much appreciated. Cheers, Michiel Toneman --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]