tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wendy Smoak" <>
Subject Re: Tomcat user 'roles' question
Date Sat, 09 Apr 2005 18:52:30 GMT
From: "Bill Barker" <>
> Custom Realms really aren't all that hard.  You typically create a class 
> that extends RealmBase 
> (,

> changing the '5.5' to the TC version you care about, unless it's 3.3 where 
> the package is different).  Then you override the 'getPassword(String)' 
> (returns the db-password of the user), the 'getPrincipal(String)' (returns 
> the userPrincipal for the user), and the 'getName()' (returns the name of 
> the realm -- any identifying string).  If you return anything but a 
> o.a.c.realm.GenericPrincipal from getPrincipal, then you'll have to 
> override the 'hasRole(Principal, String)' method as well.

Thank you, that gives me a place to start.  But I don't want to 
_authenticate_ the user at all... that's done elsewhere (one of two 
different places, actually,) and handled by a Filter.  And yet I realize 
that somehow Tomcat has to know who the user is. :/

If I create a realm and configure it, will I be able to circumvent the user 
getting prompted for a userID and password?  Can I (in the Filter) place a 
GenericPrincipal object in the session under some key?  I'm really only 
after the programmatic security of isUserInRole(...) here, but would like to 
stick to the standard way of doing things as much as possible.

Wendy Smoak 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message