tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Wingfield <jon.wingfi...@mkodo.com>
Subject Re: Is it even possible to retrieve a custom user principal? (Was: Tomcat user principal)
Date Tue, 18 Oct 2005 11:31:09 GMT
Yes. It is possible ;)

Write a custom Realm, probably extending RealmBase. Methods such as 
authenticate(username,credentials) return your custom Principal.

The custom realm has to be packaged in to commons/lib. The way we got 
around classloader hell was to have an interface in common/lib which was 
an(other) abstraction for user authentication. The realm looks up an 
implementation of this type by JNDI. The implementation specified in the 
context.xml Resource element is just a wrapper that is populated by your 
  webapp (again by JNDI) with the real authenticator.

It's a round the houses mechanism but keeps the real logic out of 
commons/lib and in the webapp where it belongs.

HTH,

Jon

Mark Benussi wrote:
> If you're implementing JAAS... no. No idea about the rest. Its not supported
> in Tomcat (But should be). Stick it in the session, and then you have to
> override the Tomcat HttpRequestProcessor (isUserInRole()) to get your
> Principal out of the session and call the validation.
> 
> -----Original Message-----
> From: Brad O'Hearne [mailto:brado@neurofire.com] 
> Sent: 17 October 2005 22:25
> To: Brad O'Hearne
> Cc: Tomcat Users List
> Subject: Is it even possible to retrieve a custom user principal? (Was:
> Tomcat user principal)
> 
> Hello,
> 
> As this has become a bit of a roadblock in implementing security, I'd 
> like to ask anyone out there two things:
> 
> 1) Is it even possible to use a custom user princpal within a realm that 
> is retrievable within a servlet (via presumably the request or 
> otherwise) in Tomcat?
> 
> 2) If the answer to #1 is yes, how is this done? Does anyone have a 
> working code snippet that demonstrates this?
> 
> Thanks, I'm about to head to the developer list to ask this question, as 
> its pretty crucial for our security implementation.
> 
> Brad
> 
> Brad O'Hearne wrote:
> 
> 
>>Response below:
>>
>>Wendy Smoak wrote:
>>
>>
>>>From: "Brad O'Hearne" <brado@neurofire.com>
>>>
>>>>I would have expected that designation of the user class name would 
>>>>have resulted in my being returned the class I specified for the 
>>>>user class name from the requestion.getUserPrincpal() method, but it 
>>>>doesn't.
>>>
>>>
>>>
>>>What version of Tomcat are you using?  As far as I know, it works the 
>>>way you want on 5.0.28.  I remember trying it with and without the 
>>>class name, and writing that comment to remind myself.
>>>
>>>Could this be it?  
>>>http://issues.apache.org/bugzilla/show_bug.cgi?id=37044
>>>
>>
>>I am using 5.0.28, and I'm not seeing the expected behavior. 
>>Hmmm.....was there anything else that has to be done to be able to 
>>access your own custom user principal?
>>
>>Brad
>>
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message