Hi there,
from a servlet, the logged on user is represented by a Principal
instance, which has a getName() to get the logon name of that user. In
most cases, that is a more or less cryptic name like c.klein or m.scott.
Some of our customers like the name of the currently logged on user be
displayed in the application's GUI. We all know that from many popular
applications.
While relying on the Servlet specs only, we can just show that
non-user-friendly logon name. Our customers prefer seeing the user's
display name. Other attributes of the user, like e-mail address, phone
number, department etc., is often welcome (if not required) information
during an application's lifetime.
It's not too hard to hook into session initialization and get the
required extra information, for example through JDBC or JNDI, if the
user database is actually an Active Directory Server. That information
can then be stored in the user's session attributes map.
However, one has to implement that information retrieval "by hand" for
every application and/or customer. Even worse, typically credentials are
required to access the storage in which that information lives. If it's
in the application's 'standard' database, there's a good chance to have
a Tomcat connection pool. However, in general, you need credentials and
access data to get these additional attributes (credentials and JDBC URL
may be configured in Context or Servlet parameters).
Does anybody know a more general way to get such extra user attributes?
My proposal:
Typically, those desired extra attributes are stored in the user's
record in the user database. That may be a SQL database or may be an
Active Directory Server (or any other directory), which is already used
for authentication and authorization.
Wouldn't it be cool to make the Realm get us that extra information?
Why the realm?
First, in order to perform authentication, the Realm already has access
to the user database. So, access data and credentials must not be
configured twice at different places.
Second, the Realm knows how to query the user database and does that
already for retrieving roles and passwords. Getting some more fields
shouldn't be a big deal.
Third, the Realm actually creates and initializes the Principal instance
so, it should be easy to store these extra user attributes in an
extended version of the TomcatPrincipal class. A simple Map<String,
String> should be sufficient, but for the sake of uniformity, the well
known methods getAttribute, getAttributeNames, removeAttribute and
setAttribute may be a better option.
That's clearly something not all Realms can/shall support. Likely
JAASRealm will not, since it uses custom Principal classes. But
JNDIRealm, JDBCRealm and DataSourceRealm (not yet sure about
UserDatabaseRealm) could easily support that feature.
In its simplest form, these Realms get a new configuration property
'extraAttributes', which takes a comma separated list of field names to
retrieve. Implicitly, for an SQL-based Realm, these fields are queried
from the 'userTable' table. The JNDIRealm tries to find these attributes
from the user's entry in the directory, of course.
More complex configurations are possible (but likely not needed).
I'm curious what you think about it :)
Carsten
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
