tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: security, roles, and single signon
Date Thu, 02 May 2002 22:39:15 GMT

On Thu, 2 May 2002 wrote:

> Date: Thu, 02 May 2002 14:36:15 -0800
> From:
> Reply-To: Tomcat Users List <>
> To:
> Subject: security, roles, and single signon
> I am planning to write a security realm to authenticate
> against our internal security system. This does not seem
> to be overly difficult. I then plan to use the
> SingleSignOn valve to propagate security between multiple
> web applications. Again, that seems straight forward.
> Now it starts to get a little tricky. In our security
> model a user belongs to many roles, but is only acting in
> one role at a time.
> Does anyone have any ideas on how to handle this ???

Umm, maybe, rethink it?  :-)

All of the standard login mechanisms supported by the servlet spec are
based solely on username and password -- the best you can probably do is
combine (say) the username and desired role into the "username" field and
separate them inside the authenticate() method of your Realm
implementation.  Then, I could log on as:

  Username:  craigmcc/manager   Password: foo

or as:

  Username:  craigmcc/admin     Password: foo

or even have different passwords for different roles, if you wanted to
set things up that way.

The Principal that you return in either case could have a name of
"craigmcc", and hasRole()  would return "true" for only the role name that
was extracted in the authenticate() method.


To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message