> From: Brad O'Hearne [mailto:[EMAIL PROTECTED] > Subject: Re: Bug in RealmBase, JAASRealm, and/or Requestt > object preventing proper role authorization > > If you wanted to try to game the authorization, you'd have to > take your role principal, shove it into the user principal, > then let the realm shove both of those again into another > GenericPrincpal that wrapped it.
No, that's wrappering. What I suggested was declaring your custom principal as a subclass of GenericPrincipal so the JAASRealm code could use it directly. > I thought about that too, but I don't know enough about the > other source code to know if it is safe and would affect > things elsewhere in code. The rules of subclassing make this perfectly safe. The rest of the code may be using your object, but the other code can only refer to it via the methods declared in the superclass GenericPrincipal; whatever customization you've made is invisible to the rest of Tomcat. You would also have the freedom of overriding the GenericPrincipal methods to suit your needs. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]