tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <>
Subject RE: Suggestions needed - customizing authorization
Date Tue, 01 Apr 2003 18:31:30 GMT


>Before I dive into hacking a bunch of Tomcat source
>code, I would very much like to solicit the opinions of
>some more experienced users.

I doubt you'll need to hack a bunch of tomcat source code.

>I need a form-login authorization scenario that

Authorization or authentication?

>My initial thought was to create a custom Realm, but I
>don't see a way to access the HttpServletRequest that
>is seeking authentication. Have I missed something

You can use on of the existing realms.  Create a file or database table
as outlined in the realm how-to document, containing the users and roles
you want.  Define the appropriate realm in server.xml.  Define the
security constraint elements in your web.xml.

>accomplishing what I am trying to do? Is there a way to
>access the Principal of a given request after the user
>has been authenticated?

Request.getUserPrincipal() is the servlet specification standard way to
do this.  And Request.isUserInRole() is the standard way to check if the
user is a member of a certain group.

>create a custom Principal capable of storing the other
>properties I need? Any pointers, suggestions or ideas
>would be much appreciated. Also, if you know of any
>projects that have already done this, I'd love to check
>them out so I'm not reinventing the wheel.

It's good that you don't want to re-invent the wheel.  I don't think you
have to do much coding given your requirements.

Yoav Shapira
Millennium ChemInformatics

This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message