tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: [PROPOSAL] Remove Realm from GenericPrincipal
Date Fri, 17 Jul 2009 05:44:57 GMT

On Jul 16, 2009, at 5:16 PM, Mark Thomas wrote:

> As a result of looking into
>, I discovered
> that the only use made of the Realm attribute of GenericPrincipal is  
> to
> control whether or not a debug message is logged in  
> RealmBase.hasRole()
> Given that the Realm is the reason that GenericPrincipal is not
> Serializable, I'd like to propose the following changes for Tomcat 7.
> 1. Remove the Realm from GenericPrincipal
> 2. Make GenericPrincipal Serializable
> 3. Take advantage of this to simplify the Cluster code
> As a by product, this should also address bug 40881 by allowing any
> Realm that uses any Serializable Principal to work with clustering.
> Thoughts?

I'm not sure exactly how the GenericPrincipal fits into tomcat  
security, but you might want to consider that jaspic requires that  
whatever Principal is set up by the authentication context (and  
communicated to the server through the somewhat bizarre mechanism of a  
callback handler) must be the principal returned from  
getUserPrincipal.  My conclusion from this is that a reasonable  
architecture involves some kind of UserIdentity object that contains  
the identity info including the principal but that trying to enforce  
usage of a particular principal class is not a good idea. cf the  
jaspic integration I mentioned the other day.

david jencks

> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message