tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Questions about Extending Tomcat Security Realms, Authenticators and GenericPrinciples
Date Wed, 14 May 2003 06:21:07 GMT
Well, I, personally, through out GenericPrinciple.  My
custom-Authenticator/Realm assigns it's own Principal class.  The Principal
interface is pretty simple.  I'd just go with it, and ignore Tomcat's

"Mark R. Diggory" <> wrote in message
> I've got a situation where I'm trying to merge Tomcats Realm Security
> with a custom security model we use at my group.
> Currently we have a model where there are "Components that have
> Resources", "Resources that have Classes" (which have nothing to do with
> Java classes), and "Users that belong to Groups". We have an LDAP server
> where "Groups" get mapped to "Classes" for a specific
> This creates a situation where more than "roles" need to be known to
> Authorize a user to access a specific resource on a specific component.
> I've been attempting to "refactor" this model to integrate well with
> Tomcats Security.
> In our case the Tomcat Server represents a specific Component in the
> system. I'm currently using the JNDIRealm and custom authenticator to
> authenticate the user in both Tomcat and our entire system as a whole.
> So I have two authroization models now:
> (1) for local acces to JSP/Servlets (Using JNDIRealm to gather roles)
> (2) for authenticating access to resources in the System that lie on
> other Components.
> In this case (2) uses a separate class "Profile", which is analogous to
> a combination of JNDIRealm and GenericPrinciple,. It contains both the
> users role information plus an instance of JNDI DirContext to do
> Authorization requests against.
> I'd like to merge these two models further. My question is:
> Is it logical to Consider "Extending" GenericPrinciple to add
> functionality to it?
> I'm basically considering refactoring my "Profile" object into a
> GenericPrinciple object that provides an "authorize" method that works
> against our LDAP server(s)?
> Or is it more logical to keep such behavior outside of Tomcats
> Authorization Mechanisms?
> Any comments would be highly appreciated.
> -Mark

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message