-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lb,
lightbulb432 wrote: > Views would definitely allow me to keep the two tables separate, but then I'd > have to authenticate against the two source tables separately (i.e. each > application would point to the source table rather than to the view). If > pointing both applications to the common view, then doesn't the original > problem exist? Don't do that. Create separate views for each of your applications, and use the app-appropriate view for authentication. If you think this sounds like too much trouble, you're right. Just remember that Tomcat implements the simplest thing that could possibly work wrt authentication. If you don't like it, you can always override the authentication mechanism with something else (securityfilter!) or hand-roll your own realm. > I took a look at JAASRealm and its authenticate method only takes two > parameters (username and "credentials", which is really just a single > password string). > >> Is it possible to pass my other credentials to the JAASRealm so that I can >> pass everything at one time (username, password, other credentials) to the >> stored procedure, rather than - if I've interepreted this correctly - >> authenticating once through the JAAS username/password, then again through >> my stored procedure to "cancel out" the previous authentication. Uh, you could always pass a concatenated "credential" which includes more than just the password. For instance: JAASRealm.authenticate(username, appId + ":" + hash(password)); Then, in your stored procedure, tear apart the "credential" and use part of it as the app identifier. Or, put the appId into the username. Whatever you want to do. There are lots of options. > So if not JAASRealm, perhaps I need to look at something else to customize? > I could of course implement my own authentication, but if I can get around > this one shortcoming of the "credentials" concept being considered a > password String rather than a generic Collection of multiple Objects, then I > think I might be able to use Tomcat authentication. You can still use Tomcat's authentication "mechanism"... you just might have to use your own Realm implementation. Frankly, the org.apache.catalina.Realm interface is baffling to me. One option is to create a Realm that extends JDBCRealm (or, better yet, DataSourceRealm) and override the authentication method to do your own SQL queries, but keep all the configuration options provided by the superclass. You can even add a configuration option by adding a mutator and accessor to specify the app's id. Then you can do something like this in your context.xml: <Realm className="package.to.your.Realm" // extends JDBCRealm driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority" connectionName="test" connectionPassword="test" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" appId="application-1" /> Just make sure you have setAppId and getAppId methods on your Realm implementation, and then use them when you build your SQL query to verify a login. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1wuQ9CaO5/Lv0PARAh6IAKCIY9aMp59xFxXHIj9z4eCfF+SYngCeMfDF O1Gr8CyGEsukK3BFtBw5voQ= =Tzs2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]