tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Bowesman <>
Subject Re: JNDI realm
Date Thu, 26 Apr 2001 10:13:52 GMT
John Holman wrote:
> On a different but related topic,  I wonder whether it is sensible
> to assume that user authentication and the determination of roles
> always use the same mechanisms. For example one might want to use a
> directory service for authentication but look up roles in a database
> - or vice versa. Obviously supporting this would require significant
> refactoring to the Realm implementation in general.

I agree that authentication and role population are two distinctly
separate issues.  It should not be necessary to have to maintain the
authentication repository every time new J2EE components and roles get
deloyed.  Applying roles to the authentication mechanism also makes it
harder to reassign roles without forcing users to reauthenticate.

> Finally I've looked (e.g. in the servlet spec) but can't find a
> clear statement about what Principal.getName() should return.
> The current implementation returns the username (ie same as 
> getRemoteUser()). Might the distinguished name be more appropriate
> when a directory service is used?

The whole are of Principals in Web/EJB container is unclear.  Servlet
spec and EJB spec only allow a single Principal.  However, JAAS is
currently being pushed into J2EE, both via J2SE, Connector arch. and
J2EE 1.3 spec.  In this case, it would seem getUserPrincipal is likely
to disappear and JAAS Subject be supported instead.

However, currently Principal.getName() can return whatever your
Principal implementation wants it to return.

Antony Bowesman
Teamware Group
tel: +358 9 5128 2562
fax: +358 9 5128 2705

View raw message