tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: JAAS authenticated user fails authorization check
Date Tue, 06 May 2008 19:05:56 GMT
Hash: SHA1


Robin Coe wrote:
| Problem is, the GenericPrincipal class is in the Catalina jar, which
| is available to Tomcat as a native library but for me to make use of
| it, I'd have to include it in my web-app lib.

Actually, no. GenericPrincipal as loaded by Tomcat's ClassLoader would
be incompatible with the GenericPrincipal class as loaded by your
webapp's ClassLoader. You'd need to put your authentication code into
Tomcat's lib directory in order to use it properly.

| I was hoping to be container-agnostic and avoid any proprietary
| libraries, which is why I used JNDI and JAAS.

But, you did use your own Principal implementation. Forgive my ignorance
regarding JAAS, but I was under the impression that it is atypical to
implement your own Principal object.

| I want to be able to hook into my security wrapper without
| necessarily going through Tomcat's security realm.

Container-managed security is pretty much intended to be self-contained.
You can't get Tomcat-managed authentication and authorization and yet
avoid Tomcat's security classes. Sorry.

| So, my options are to include the Catalina jar in my context or
| create my own mappings between resources and roles.  In the former
| case, I'll have a maintenance issue, because I'll have to ensure that
| the developers know that the jar needs to be kept in sync with the
| Tomcat environment.  In the latter case, I'll be manually doing what
| Tomcat can do.  However, if I am to be truly agnostic, that is what I
| should do anyway.

Maintaining a Tomcat-compatible security library will be much easier
than implementing your own authentication and authorization framework
(but feel free to do so!).

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message