tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: JAAS authenticated user fails authorization check
Date Tue, 06 May 2008 19:05:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robin,

Robin Coe wrote:
| Problem is, the GenericPrincipal class is in the Catalina jar, which
| is available to Tomcat as a native library but for me to make use of
| it, I'd have to include it in my web-app lib.

Actually, no. GenericPrincipal as loaded by Tomcat's ClassLoader would
be incompatible with the GenericPrincipal class as loaded by your
webapp's ClassLoader. You'd need to put your authentication code into
Tomcat's lib directory in order to use it properly.

| I was hoping to be container-agnostic and avoid any proprietary
| libraries, which is why I used JNDI and JAAS.

But, you did use your own Principal implementation. Forgive my ignorance
regarding JAAS, but I was under the impression that it is atypical to
implement your own Principal object.

| I want to be able to hook into my security wrapper without
| necessarily going through Tomcat's security realm.

Container-managed security is pretty much intended to be self-contained.
You can't get Tomcat-managed authentication and authorization and yet
avoid Tomcat's security classes. Sorry.

| So, my options are to include the Catalina jar in my context or
| create my own mappings between resources and roles.  In the former
| case, I'll have a maintenance issue, because I'll have to ensure that
| the developers know that the jar needs to be kept in sync with the
| Tomcat environment.  In the latter case, I'll be manually doing what
| Tomcat can do.  However, if I am to be truly agnostic, that is what I
| should do anyway.

Maintaining a Tomcat-compatible security library will be much easier
than implementing your own authentication and authorization framework
(but feel free to do so!).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkggrBQACgkQ9CaO5/Lv0PBgHgCgr62b+5TvN4YHA3uiyz/stkDv
njAAnjXnytJQvxWGRjDbq1lDxkWiUHvc
=Fi6E
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message