On Thu, 2 May 2002 geoff@beapgroup.com wrote:
> Date: Thu, 02 May 2002 14:36:15 -0800
> From: geoff@beapgroup.com
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: security, roles, and single signon
>
> I am planning to write a security realm to authenticate
> against our internal security system. This does not seem
> to be overly difficult. I then plan to use the
> SingleSignOn valve to propagate security between multiple
> web applications. Again, that seems straight forward.
>
> Now it starts to get a little tricky. In our security
> model a user belongs to many roles, but is only acting in
> one role at a time.
>
> Does anyone have any ideas on how to handle this ???
>
Umm, maybe, rethink it? :-)
All of the standard login mechanisms supported by the servlet spec are
based solely on username and password -- the best you can probably do is
combine (say) the username and desired role into the "username" field and
separate them inside the authenticate() method of your Realm
implementation. Then, I could log on as:
Username: craigmcc/manager Password: foo
or as:
Username: craigmcc/admin Password: foo
or even have different passwords for different roles, if you wanted to
set things up that way.
The Principal that you return in either case could have a name of
"craigmcc", and hasRole() would return "true" for only the role name that
was extracted in the authenticate() method.
Craig
--
To unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
|