On 27/05/2021 12:49, Carsten Klein wrote:
On 27/05/2021 10:59, Mark Thomas wrote:
<snip/>
As far as I can tell, removing UserDatabasePrincipal, relying on
GenericPrincipal and User remaining an internal object not exposed via
the Servlet API would achieve the same result with less code.
At this point I am looking for a reason not to remove
UserDatabasePrincipal and I'm not seeing one.
Since User and Role instances support dynamic updates (have a look at
methods addGroup/Role and removeGroup/Role), the special handling in
UserDatabaseRealm.hasRole() is required. Although that feature is
currently not used by Tomcat (is it?), those possible live updates must
be taken into account in the code.
You can just as easily add roles in a database for the DataSourceRealm
or in LDAP for the JNDIRealm and we don't handle the dynamic update case
for either of those. I don't have a strong view of whether we should
handle this or shouldn't but I do have a strong view that we should try
to be consistent.
I will note that it isn't uncommon to have to log out and back in again
to pick up newly allocated groups/roles in other environments.
<snip/>
I think it would be worth handling this is a separate commit to give
folks the chance to review it before proceeding to add attribute support.
+1
Are you talking about a separate commit in my additional-user-attributes
branch? Or is that worth an extra BUG/case/issue?
If we go the removal route then I'd treat that as a separate PR /
bugzilla issue so any discussion remains focussed on the relevant issue.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org