I have a couple of security questions: Q1: ===
If GenericPrincipal isn't available from webapps, is there another way to get at the complete list of roles for a given user and their password? I need the complete list of roles for the current user and password to implement a connector from Cocoon authentication to the container authentication. Jason Loo on 2-5-2002 asked: "I've been successful in creating a custom JDBCRealm and have extended the GenericPrincipal. However, when attempting to pull my principal from the request (request.getUserPrincipal()) and cast to EITHER org.apache.catalina.realm.GenericPrincipal or my custom principal, I get a Class Cast Exception." http://marc.theaimsgroup.com/?l=tomcat-user&m=101289699814058&w=2 He pointed to this message: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg40073.html but never got a reply. I presume that the reason it's not available is because the catalina jar is loaded by a different classloader separate from webapps. [Aside: can't find the documentation that details what each */lib directory does (e.g. common vs lib vs ...)]. Is there any way besides tweaking the classpath (by changing it or by copying JARs) to get at the GenericPrincipal class? There are some convenience methods on GenericPrincipal that are not on Principal that would be nice to get to (complete list of roles for the current user and password). Q2: === Is the implementation of JAASRealm in 4.1 backwards compatible to 4.0.4? Q3: === Does anyone know of a Realm implementation that includes the notion of groups? Maybe I'm thinking about this the wrong way but here's the problem: Parties in our case are users, companies and holding companies. Users are members of one company and can have different application permissions within the company (e.g. manager, employee, reader). Members of a holding company have rights across other companies (e.g. they can be a manager of one but only 'reader' of another). I can model this in the database but have never found a sstisfactory Java implementation that integrates with Tomcat's Realm based security and security constraints. Any pointers would be appreciated. Thanks, Per -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>