tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Security Propagation
Date Fri, 05 Apr 2002 17:15:44 GMT

On Fri, 5 Apr 2002, Jason Owens wrote:

> Date: Fri, 5 Apr 2002 01:28:28 -0800
> From: Jason Owens <>
> Reply-To: Tomcat Users List <>
> To:
> Subject: Security Propagation
> I'm interfacing a servlet-based front end to an EJB back end (isn't
> everybody?) using tomcat + jboss. My issue is that I need to
> authenticate using my EJB security bean, but I want to associate the
> resulting subject with the users session in tomcat (as if I had
> performed container authentication). Are custom realms the ONLY way to
> do this (ugh)?

I don't know the JBoss integration code, but I imagine the answer would be
"yes", since you're trying to manage the Principals that Tomcat uses to
make security decisions.

> Is there any way to cache the subject in the session, and
> just somehow associate it with the thread's security context (sounds
> like this would be easier) when processing? I haven't found any good
> docs on writing a custom realm, has anyone written any?

Best bet is to look at the existing examples, like JDBCRealm and

However, to store stuff in the user session, you'll probably need to write
custom Authenticator subclasses as well.  Realms don't have access to
anything about the current request or session.

> Any help/pointers/solutions will be appreciated. Thanks

I suppose there is some reason that standard container managed security is
not sufficient ...

> -Jason


To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message