Mark,
Thanks a ton for the reply. I almost want to reply with "you're kidding,
right?", as I am kind of speechless that using JAAS (which I am), the
Java platform's standard authentication/authorization API, doesn't allow
one to use a custom principal. It seems like a major hole in Tomcat
security flexibility. I suppose I'll float on over the developer list to
find out more about whether this is a planned change or not, and how
much trouble it would be to add it.
As for your workaround, where can I set the session? My JAAS login
module doesn't have access to the session, I don't believe, which is
where my user principal is created. If I had my principal in the
session, then the default isUserInRole() should work as is, I'll just
retrieve my custom user principal out of the session for other custom data.
Mark, where can I add my user principal to the session?
Brad
Mark Benussi wrote:
If you're implementing JAAS... no. No idea about the rest. Its not supported
in Tomcat (But should be). Stick it in the session, and then you have to
override the Tomcat HttpRequestProcessor (isUserInRole()) to get your
Principal out of the session and call the validation.
-----Original Message-----
From: Brad O'Hearne [mailto:[EMAIL PROTECTED]
Sent: 17 October 2005 22:25
To: Brad O'Hearne
Cc: Tomcat Users List
Subject: Is it even possible to retrieve a custom user principal? (Was:
Tomcat user principal)
Hello,
As this has become a bit of a roadblock in implementing security, I'd
like to ask anyone out there two things:
1) Is it even possible to use a custom user princpal within a realm that
is retrievable within a servlet (via presumably the request or
otherwise) in Tomcat?
2) If the answer to #1 is yes, how is this done? Does anyone have a
working code snippet that demonstrates this?
Thanks, I'm about to head to the developer list to ask this question, as
its pretty crucial for our security implementation.
Brad
Brad O'Hearne wrote:
Response below:
Wendy Smoak wrote:
From: "Brad O'Hearne" <[EMAIL PROTECTED]>
I would have expected that designation of the user class name would
have resulted in my being returned the class I specified for the
user class name from the requestion.getUserPrincpal() method, but it
doesn't.
What version of Tomcat are you using? As far as I know, it works the
way you want on 5.0.28. I remember trying it with and without the
class name, and writing that comment to remind myself.
Could this be it?
http://issues.apache.org/bugzilla/show_bug.cgi?id=37044
I am using 5.0.28, and I'm not seeing the expected behavior.
Hmmm.....was there anything else that has to be done to be able to
access your own custom user principal?
Brad
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
