tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gunnar Brading <>
Subject Re: Functionality of <run-as> for Servlets
Date Wed, 01 Sep 2004 12:31:18 GMT
Your suggestion is very good, but doesn't work, as I understand it, when 
not using a SecurityManager. Subject.getSubject() returns null.

Now I myself think it is a great idea to use a security-manager at all 
times, but when writing an application it seems like a good idea not to 
make that assumption.

Is it really a requirement to have a SecurityManager for Subject to be 
useful? It seems like a construct like the one you suggest should work 
even without one.

-- Gunnar

Gunnar Brading wrote:

> I have been in need of using the <run-as> tag in a Tomcat-only 
> environment... Is this possible? Reading the source indicates that it 
> wouldn't be possible to get the information about the role the context 
> currently is in. Using the requests in-role methods of course tells me 
> about
> the user, and not the context.
> Have I come to the right conclusion?

No ;-)

You can get access to the Subject by doing 

> Reading the specs tells me that the functionality is meant for 
> transferring roles to EJB's. Some documentation I found at Sun 
> indicates though that even web-applications should be able to use this.

The way SJSAS 8.x is doing that is by using the Subject and then the 
principal(s) associated with the Subject.

-- Jeanfrancois

> Anyone got more information about this?
> Cheers,
> -- gunnar

 Gunnar Brading, Astrogator AB - High Performance Networks & Interactive Media
  Email;  Address; Rorstrandsgatan 30A, 113 40 STOCKHOLM
    Office: +46 8 5456 0010 Fax: +46 8 5456 0011 Cellular: +46 70 778 2 877

     The scientist describes what is; the engineer creates what never was
					- Theodore von Karman

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message