tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <>
Subject Using with web service calls on Tomcat
Date Fri, 26 Dec 2008 16:11:13 GMT

Hello, Kumar Jayanti of Sun Microsystems had written a blog entry[1] showing
how on GlassFish, for web service calls, how roles can be dynamically
assigned to the SOAP client (here, based on the validation of a SAML
assertion).  I was wondering if I could do the same for Tomcat.

Basically, his web.xml defines a security role called "doctor":

  <description>A doctor</description>

This of course is the same for GlassFish and Tomcat.  Next, though, in the
GlassFish-specific sun-web.xml file, there is a mapping between a "DrRobert" and the doctor role:


Later, in the service-side MySAMLValidator class activated for each web
service call, if the assertion is valid the DrRobert principal is added to
the web service call's list of principals, effectively giving the web
service call the "doctor" role as a consequence of the principle-to-role
mapping above:

if (child.startsWith("CN=DrRobert")) {
   Principal p = new

This informs the web service provider implementation that the SOAP call is
being made by someone with the doctor role:

public class SAMLService {

    private WebServiceContext context;

    @WebMethod(operationName = "operation")
    public String operation(@WebParam(name = "parameter") String parameter)
        Boolean bool = context.isUserInRole("doctor");  // returns true
        if (bool == true) {
           ... do different logic...
        return "Hello " + parameter;


Does Tomcat have an equivalent functionality--an ability to work with
principals and dynamically tie them to roles?


View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message