tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yoav Shapira <yo...@apache.org>
Subject Re: Accessing a custom user principal from a JAAS Realm
Date Wed, 19 Oct 2005 14:15:44 GMT
Hi,
You'd need to cast as follows:

Principal mydude = request.getUserPrincipal();
if(mydude instanceof GenericPrincipal) {
  mydude = ((GenericPrincipal) mydude).getUserPrincpal();
}

Yoav 

--- Brad O'Hearne <brado@neurofire.com> wrote:

> After several days of questions on the user mailing list surrounding 
> this issue, I received an answer today which I need to confirm with any 
> of the developers out there. Basically, I am using Tomcat 5.0.28, and 
> using the JAAS realm for authentication and authorization. In my JAAS 
> login module, I am setting the user principal as a custom Principal 
> implementation configured in server.xml. Here's my server.xml realm setup:
> 
> <Realm className="org.apache.catalina.realm.JAASRealm"
>     appName="imap"
>     userClassNames="com.redbarnsoftware.web.security.UserPrincipal"
>     roleClassNames="com.redbarnsoftware.web.security.RolePrincipal"  
>     debug="99" />
> 
> My authentication across my login module works just fine. But in my 
> subsequent servlets, when I invoke the request.getUserPrincipal() 
> method, I am not returned my user principal class type, but I am instead 
> returned a GenericPrincipal, and there's no way to get at my custom user 
> principal class.
> 
> Someone on the user list said that though it should be supported, 
> retrieving custom user principals weren't supported for the JAAS realm.I 
> just wanted to confirm this with the developers, because its hard for me 
> to imagine how the Java platform's authentication / authorization API is 
> not fully supported in a mature app like Tomcat -- it sounded a little 
> weird to me. So if someone could confirm this, that would really help.
> 
> Secondly, if it is in fact unsupported, I would like to inquire 1) if 
> this feature is planned and if so, when, and 2) what is required to 
> implement this in the present Tomcat architecture. I'd like to consider 
> adding this, as it is pretty much a the type of hole that can be a 
> deal-killer for Tomcat from a security standpoint.
> 
> Thanks for your help.
> 
> Cheers,
> 
> Brad
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 


Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message