Pid-6 wrote: > > >>Really?! Is a role really the appropriate thing for whatever your >>problem is then? > > This is what I am trying to decide. If it was possible to update roles, > then role would be the appropriate thing, as it would allow me not to have > to implement my own resource/servlet hiding. If what you are saying is > that role set is something that by definition shouldn't change within a > session and therefore this functionality should not be supported, then it > probably isn't. > >>There isn't any way in the current Servlet Spec to do what you ask. >>The next version includes programmatic authentication, I think, but >>there's no containers out there supporting it yet. > >>Investigate how the FormAuthenticator works in concert with the Realm >>and you may find a way to do what you need. > >>You might investigate whether the following can provide you with better >>functionality: > >>http://securityfilter.sourceforge.net/ > > Thanks a lot for the reference. I'll investigate using security filter. > > >> Pid-6 wrote: >>> >>> On 21/08/2009 19:31, nkrasnov wrote: >>>> >>>> Hi, >>>> >>>> I have several Tomcat webapps which use SSO and the same Realm for >>>> authentication. All is working as expected, except that I now need to >>>> update >>>> roles for the user that's already been authenticated in the past. I >>>> seem >>>> to >>>> be able to do it successfully for a given request (by calling >>>> LoginContect.login and switching the principals in the subject), but >>>> for >>>> all >>>> subsequent requests isUserInRole returns false for new roles. The way I >>>> understand it, this is happening because a GenericPrincipal object, >>>> which >>>> JAASRealm created in the initial authenticate call, holds a copy of the >>>> original role list, and so on all subsequent calls SSO valve puts that >>>> GenericPrincipal into request and its getRoles, which is called by >>>> isUserInRole, accordingly, always returns the original list of roles. >>>> Is >>>> there any way for me to get around this? I don't seem to have any >>>> ability >>>> to >>>> update the roles in this GenericPrincipal object once it's put into SSO >>>> cache... Or, if there is no way to update the roles, can I force >>>> re-authentication without making the user re-enter userid/password (we >>>> do >>>> have those stored in SSO cache, I believe)? >>> >>> So you want to dynamically update the user roles? >>> Is there a reason why you can't get the user to log out and back in? >>> >>> I'd guess that the effort of sending a message to the user suggesting >>> that they log out, will be less than tinkering with the insides of >>> Tomcat - things that could change with each release. >>> >>> Or you could use a servlet Filter to monitor a flag set in the session, >>> which then forces the session to invalidate& log the user out. >>> >>> p >>> >>>> Any help would be greatly appreciated. >>>> >>>> Thank you very much for your time, >>>> Natasha >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > >
-- View this message in context: http://www.nabble.com/Updating-Roles-for-a-logged-in-user-while-using-SingleSignOn-tp25085139p25116530.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
