tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark R. Diggory" <>
Subject Questions about Extending Tomcat Security Realms, Authenticators and GenericPrinciples
Date Tue, 13 May 2003 17:48:44 GMT
I've got a situation where I'm trying to merge Tomcats Realm Security 
with a custom security model we use at my group.

Currently we have a model where there are "Components that have 
Resources", "Resources that have Classes" (which have nothing to do with 
Java classes), and "Users that belong to Groups". We have an LDAP server 
where "Groups" get mapped to "Classes" for a specific "Component/Resource".

This creates a situation where more than "roles" need to be known to 
Authorize a user to access a specific resource on a specific component.

I've been attempting to "refactor" this model to integrate well with 
Tomcats Security.

In our case the Tomcat Server represents a specific Component in the 
system. I'm currently using the JNDIRealm and custom authenticator to 
authenticate the user in both Tomcat and our entire system as a whole. 
So I have two authroization models now:

(1) for local acces to JSP/Servlets (Using JNDIRealm to gather roles)
(2) for authenticating access to resources in the System that lie on 
other Components.

In this case (2) uses a separate class "Profile", which is analogous to 
a combination of JNDIRealm and GenericPrinciple,. It contains both the 
users role information plus an instance of JNDI DirContext to do 
Authorization requests against.

I'd like to merge these two models further. My question is:

Is it logical to Consider "Extending" GenericPrinciple to add 
functionality to it?

I'm basically considering refactoring my "Profile" object into a 
GenericPrinciple object that provides an "authorize" method that works 
against our LDAP server(s)?

Or is it more logical to keep such behavior outside of Tomcats 
Authorization Mechanisms?

Any comments would be highly appreciated.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message