On 23/08/2009 22:22, nkrasnov wrote:
Thank you very much for your response.
Yes, I did want to dynamically update the roles. The reason I was hoping to
do it without making the user re-enter the credentials is because due to
some peculiarities of the application this may happen quite often (several
times within a user's session), and is likely to get annoying.
Really?! Is a role really the appropriate thing for whatever your
problem is then?
I hear you about tinkering with the insides of Tomcat, though... I was
hoping that I was missing something and there was a way to do it without
overwriting SSO valve's behavior. There is no way to force
re-authentication but make SSO use the cached credentials to re-authenticate
and create a new GenericPrincipal object, is there?
There isn't any way in the current Servlet Spec to do what you ask.
The next version includes programmatic authentication, I think, but
there's no containers out there supporting it yet.
Investigate how the FormAuthenticator works in concert with the Realm
and you may find a way to do what you need.
You might investigate whether the following can provide you with better
functionality:
http://securityfilter.sourceforge.net/
p
Pid-6 wrote:
On 21/08/2009 19:31, nkrasnov wrote:
Hi,
I have several Tomcat webapps which use SSO and the same Realm for
authentication. All is working as expected, except that I now need to
update
roles for the user that's already been authenticated in the past. I seem
to
be able to do it successfully for a given request (by calling
LoginContect.login and switching the principals in the subject), but for
all
subsequent requests isUserInRole returns false for new roles. The way I
understand it, this is happening because a GenericPrincipal object, which
JAASRealm created in the initial authenticate call, holds a copy of the
original role list, and so on all subsequent calls SSO valve puts that
GenericPrincipal into request and its getRoles, which is called by
isUserInRole, accordingly, always returns the original list of roles. Is
there any way for me to get around this? I don't seem to have any ability
to
update the roles in this GenericPrincipal object once it's put into SSO
cache... Or, if there is no way to update the roles, can I force
re-authentication without making the user re-enter userid/password (we do
have those stored in SSO cache, I believe)?
So you want to dynamically update the user roles?
Is there a reason why you can't get the user to log out and back in?
I'd guess that the effort of sending a message to the user suggesting
that they log out, will be less than tinkering with the insides of
Tomcat - things that could change with each release.
Or you could use a servlet Filter to monitor a flag set in the session,
which then forces the session to invalidate& log the user out.
p
Any help would be greatly appreciated.
Thank you very much for your time,
Natasha
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
