tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Bug in RealmBase, JAASRealm, and/or Requestt object preventing proper role authorization
Date Fri, 21 Oct 2005 04:09:04 GMT
> From: Brad O'Hearne [mailto:brado@neurofire.com] 
> Subject: Re: Bug in RealmBase, JAASRealm, and/or Requestt 
> object preventing proper role authorization
> 
> If you wanted to try to game the authorization, you'd have to 
> take your role principal, shove it into the user principal, 
> then let the realm shove both of those again into another 
> GenericPrincpal that wrapped it.

No, that's wrappering.  What I suggested was declaring your custom
principal as a subclass of GenericPrincipal so the JAASRealm code could
use it directly.

> I thought about that too, but I don't know enough about the 
> other source code to know if it is safe and would affect 
> things elsewhere in code.

The rules of subclassing make this perfectly safe.  The rest of the code
may be using your object, but the other code can only refer to it via
the methods declared in the superclass GenericPrincipal; whatever
customization you've made is invisible to the rest of Tomcat.  You would
also have the freedom of overriding the GenericPrincipal methods to suit
your needs.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message