On 21/08/2009 19:31, nkrasnov wrote:
Hi,
I have several Tomcat webapps which use SSO and the same Realm for
authentication. All is working as expected, except that I now need to update
roles for the user that's already been authenticated in the past. I seem to
be able to do it successfully for a given request (by calling
LoginContect.login and switching the principals in the subject), but for all
subsequent requests isUserInRole returns false for new roles. The way I
understand it, this is happening because a GenericPrincipal object, which
JAASRealm created in the initial authenticate call, holds a copy of the
original role list, and so on all subsequent calls SSO valve puts that
GenericPrincipal into request and its getRoles, which is called by
isUserInRole, accordingly, always returns the original list of roles. Is
there any way for me to get around this? I don't seem to have any ability to
update the roles in this GenericPrincipal object once it's put into SSO
cache... Or, if there is no way to update the roles, can I force
re-authentication without making the user re-enter userid/password (we do
have those stored in SSO cache, I believe)?
So you want to dynamically update the user roles?
Is there a reason why you can't get the user to log out and back in?
I'd guess that the effort of sending a message to the user suggesting
that they log out, will be less than tinkering with the insides of
Tomcat - things that could change with each release.
Or you could use a servlet Filter to monitor a flag set in the session,
which then forces the session to invalidate & log the user out.
p
Any help would be greatly appreciated.
Thank you very much for your time,
Natasha
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
