Re: Tomcat and parallel security realms

Fri, 14 Mar 2008 11:34:13 -0700 

Christopher,

the idea you sketched depends on the constructor being called with a
list of realms. Is that so?
If you look at http://tomcat.apache.org/tomcat-6.0-doc/api/index.html
all realms in org.apache.catalina.realm have only the default constructor.

Probably one would have to get the surrounding container with
Realm.getContainer() and browse the whole nested container tree to get
all realms.

So, a delegating realm seems not that easy. Anyway, I think the
feature of using several realms should be in the server core.

Juergen

On Thu, Mar 13, 2008 at 8:14 PM, Schultz <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  Jürgen,
>
>
>  Juergen Weber wrote:
>  | So, if user tomcat logs in, JNDI realm should say "User unknown" and
>  | afterwards memory realm should say "fine, user is allowed".
>  |
>  | Unfortunately, Tomcat can only use one active realm. Is that right?
>
>  Right.
>
>
>  | Is there any other way to get the manager user into Tomcat?
>
>  Write a Realm that wraps two other realms, and use that. Something like
>  this:
>
>  public class MultiRealm
>  ~    extends RealmBase
>  {
>  ~    private List _realms;
>  ~    public MultiRealm(List realms)
>  ~    {
>  ~        _realms = realms;
>  ~    }
>
>  ~    public Principal authenticate(String username, String credentials)
>  ~    {
>  ~        for(Iterator i=_realms.iterator(); i.hasNext(); )
>  ~        {
>  ~            Principal p = ((Realm)i.next()).authenticare(username,
>  ~                                                         credentials);
>
>  ~            if(null != p)
>  ~                return p;
>  ~        }
>
>  ~        return null;
>  ~    }
>
>  ~    // implement the other methods similarly as pass-through methods
>
> }
>
>  | Setting up OpenLdap as Meta Directory before our LDAP server and
>  | putting the "tomcat" user into OpenLDAP seems a bit overblown.
>
>  I would tend to agree.
>
>  If you were to write a decent implementation of the above, I would
>  imagine that the Tomcat folks would happily accept it as a contribution
>  to the project.
>
>  - -chris
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v1.4.8 (MingW32)
>  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>  iEYEARECAAYFAkfZfRkACgkQ9CaO5/Lv0PCbowCghB4vDu2Rg3GUR7hFvKX2zLZt
>  hz4An2jU7GxmtDsNdU/Z41ftVgVV/4Bc
>  =TiR4
>  -----END PGP SIGNATURE-----
>
>  ---------------------------------------------------------------------
>  To start a new topic, e-mail: users@tomcat.apache.org
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to