Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 53904 invoked from network); 17 Oct 2005 22:07:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 17 Oct 2005 22:07:25 -0000 Received: (qmail 51097 invoked by uid 500); 17 Oct 2005 22:07:11 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 51083 invoked by uid 500); 17 Oct 2005 22:07:11 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 51072 invoked by uid 99); 17 Oct 2005 22:07:10 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Oct 2005 15:07:10 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [66.111.4.27] (HELO out3.smtp.messagingengine.com) (66.111.4.27) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Oct 2005 15:07:10 -0700 Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149]) by frontend1.messagingengine.com (Postfix) with ESMTP id DCCD4CD4B6F for ; Mon, 17 Oct 2005 18:06:46 -0400 (EDT) Received: from frontend2.messagingengine.com ([10.202.2.151]) by frontend1.internal (MEProxy); Mon, 17 Oct 2005 18:06:46 -0400 X-Sasl-enc: zlA//wYUooC2huBqFxjJRPpkyhIJBs1M/DrC4OZx314y 1129586805 Received: from [192.168.1.102] (ip68-104-168-149.ph.ph.cox.net [68.104.168.149]) by frontend2.messagingengine.com (Postfix) with ESMTP id BC34B570364 for ; Mon, 17 Oct 2005 18:06:45 -0400 (EDT) Message-ID: <43542064.1030707@neurofire.com> Date: Mon, 17 Oct 2005 15:06:28 -0700 From: Brad O'Hearne User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Is it even possible to retrieve a custom user principal? (Was: Tomcat user principal) References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Mark, Thanks a ton for the reply. I almost want to reply with "you're kidding, right?", as I am kind of speechless that using JAAS (which I am), the Java platform's standard authentication/authorization API, doesn't allow one to use a custom principal. It seems like a major hole in Tomcat security flexibility. I suppose I'll float on over the developer list to find out more about whether this is a planned change or not, and how much trouble it would be to add it. As for your workaround, where can I set the session? My JAAS login module doesn't have access to the session, I don't believe, which is where my user principal is created. If I had my principal in the session, then the default isUserInRole() should work as is, I'll just retrieve my custom user principal out of the session for other custom data. Mark, where can I add my user principal to the session? Brad Mark Benussi wrote: >If you're implementing JAAS... no. No idea about the rest. Its not supported >in Tomcat (But should be). Stick it in the session, and then you have to >override the Tomcat HttpRequestProcessor (isUserInRole()) to get your >Principal out of the session and call the validation. > >-----Original Message----- >From: Brad O'Hearne [mailto:brado@neurofire.com] >Sent: 17 October 2005 22:25 >To: Brad O'Hearne >Cc: Tomcat Users List >Subject: Is it even possible to retrieve a custom user principal? (Was: >Tomcat user principal) > >Hello, > >As this has become a bit of a roadblock in implementing security, I'd >like to ask anyone out there two things: > >1) Is it even possible to use a custom user princpal within a realm that >is retrievable within a servlet (via presumably the request or >otherwise) in Tomcat? > >2) If the answer to #1 is yes, how is this done? Does anyone have a >working code snippet that demonstrates this? > >Thanks, I'm about to head to the developer list to ask this question, as >its pretty crucial for our security implementation. > >Brad > >Brad O'Hearne wrote: > > > >>Response below: >> >>Wendy Smoak wrote: >> >> >> >>>From: "Brad O'Hearne" >>> >>> >>> >>>>I would have expected that designation of the user class name would >>>>have resulted in my being returned the class I specified for the >>>>user class name from the requestion.getUserPrincpal() method, but it >>>>doesn't. >>>> >>>> >>> >>>What version of Tomcat are you using? As far as I know, it works the >>>way you want on 5.0.28. I remember trying it with and without the >>>class name, and writing that comment to remind myself. >>> >>>Could this be it? >>>http://issues.apache.org/bugzilla/show_bug.cgi?id=37044 >>> >>> >>> >>I am using 5.0.28, and I'm not seeing the expected behavior. >>Hmmm.....was there anything else that has to be done to be able to >>access your own custom user principal? >> >>Brad >> >> >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >For additional commands, e-mail: users-help@tomcat.apache.org > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >For additional commands, e-mail: users-help@tomcat.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org