tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: security, roles, and single signon
Date Thu, 02 May 2002 22:39:15 GMT


On Thu, 2 May 2002 geoff@beapgroup.com wrote:

> Date: Thu, 02 May 2002 14:36:15 -0800
> From: geoff@beapgroup.com
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: security, roles, and single signon
>
> I am planning to write a security realm to authenticate
> against our internal security system. This does not seem
> to be overly difficult. I then plan to use the
> SingleSignOn valve to propagate security between multiple
> web applications. Again, that seems straight forward.
>
> Now it starts to get a little tricky. In our security
> model a user belongs to many roles, but is only acting in
> one role at a time.
>
> Does anyone have any ideas on how to handle this ???
>

Umm, maybe, rethink it?  :-)

All of the standard login mechanisms supported by the servlet spec are
based solely on username and password -- the best you can probably do is
combine (say) the username and desired role into the "username" field and
separate them inside the authenticate() method of your Realm
implementation.  Then, I could log on as:

  Username:  craigmcc/manager   Password: foo

or as:

  Username:  craigmcc/admin     Password: foo

or even have different passwords for different roles, if you wanted to
set things up that way.

The Principal that you return in either case could have a name of
"craigmcc", and hasRole()  would return "true" for only the role name that
was extracted in the authenticate() method.

Craig


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message