tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: [PROPOSAL] Remove Realm from GenericPrincipal
Date Fri, 17 Jul 2009 08:38:39 GMT
Konstantin Kolinko wrote:
> 2009/7/17 Mark Thomas <>:
>> As a result of looking into
>>, I discovered
>> that the only use made of the Realm attribute of GenericPrincipal is to
>> control whether or not a debug message is logged in RealmBase.hasRole()
> Looking at
> That revision comment says about switch to commons-logging, but
> besides just that the
> "if (!(gp.getRealm() == this))" block was changed from returning false
> to just logging a message.
> I am not sure, that it was intentional.

The commit message indicates that it was intentional.

> Or there was really a bug with jaas, that this change fixed?

I think it is safe to assume Costin wasn't making this up.

> Is there a use case, besides replication, where a Principal is
> processed in context of some other realm, some other realm instance,
> different from the one that created it?

Single Sign On uses a shared Principal

>> Given that the Realm is the reason that GenericPrincipal is not
>> Serializable, I'd like to propose the following changes for Tomcat 7.
>> 1. Remove the Realm from GenericPrincipal
>> 2. Make GenericPrincipal Serializable
>> 3. Take advantage of this to simplify the Cluster code
> I think "3." includes removing the
> o.a.c.cluster.session.SerializablePrincipal class

Yep :)

>> As a by product, this should also address bug 40881 by allowing any
>> Realm that uses any Serializable Principal to work with clustering.
> I attached a patch to that issue, see comment #12:
> It is to allow a serializable Principal to be written out and read in
> during replication.
> Cannot test it, though, as I do not have relevant configuration now.

I see where you are going with that. That could be a potential backport
route for 6.0.x and 5.5.x but for 7.0.x I can't see a good reason to
include the Realm in the Principal and several for getting rid of it.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message