You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Brad O'Hearne <br...@neurofire.com> on 2005/10/18 06:43:13 UTC
Accessing a custom user principal from a JAAS Realm
After several days of questions on the user mailing list surrounding
this issue, I received an answer today which I need to confirm with any
of the developers out there. Basically, I am using Tomcat 5.0.28, and
using the JAAS realm for authentication and authorization. In my JAAS
login module, I am setting the user principal as a custom Principal
implementation configured in server.xml. Here's my server.xml realm setup:
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="imap"
userClassNames="com.redbarnsoftware.web.security.UserPrincipal"
roleClassNames="com.redbarnsoftware.web.security.RolePrincipal"
debug="99" />
My authentication across my login module works just fine. But in my
subsequent servlets, when I invoke the request.getUserPrincipal()
method, I am not returned my user principal class type, but I am instead
returned a GenericPrincipal, and there's no way to get at my custom user
principal class.
Someone on the user list said that though it should be supported,
retrieving custom user principals weren't supported for the JAAS realm.I
just wanted to confirm this with the developers, because its hard for me
to imagine how the Java platform's authentication / authorization API is
not fully supported in a mature app like Tomcat -- it sounded a little
weird to me. So if someone could confirm this, that would really help.
Secondly, if it is in fact unsupported, I would like to inquire 1) if
this feature is planned and if so, when, and 2) what is required to
implement this in the present Tomcat architecture. I'd like to consider
adding this, as it is pretty much a the type of hole that can be a
deal-killer for Tomcat from a security standpoint.
Thanks for your help.
Cheers,
Brad
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Accessing a custom user principal from a JAAS Realm
Posted by Yoav Shapira <yo...@apache.org>.
Brad,
No need to CC me on the reply, I get the dev@tomcat copy already ;)
> Thanks for the reply. What version of Tomcat are you referring to? I am using
> Tomcat 5.0.28. With regards to your code below, there is no
> getUserPrincipal() method on the org.apache.catalina.realm.GenericPrincipal
> class.
I'm talking about 5.5.12 and the 5.5.x branch in general, which has this
method.
> Furthermore, how's this for bizarre -- if I do an "instanceof" with the class
> returned from request.getUserPrincipal(), and print it out, I get the
> following:
>
> Principal class is: org.apache.catalina.realm.GenericPrincipal
>
> However, if I try to cast it to that class type in the very next line of
> code,
> the code throws a ClassCastException. Very weird.
It's bizarre to the point of making me think what you really have on your hand
is a configuration issue, with likely multiple versions of the Catalina classes
on the runtime classpath, rather than a coding issue.
> The library I am using is
> the catalina.jar sent with the code (which I happen to be packaging in my
> WEB-INF/lib directory of my webapp.
I hope you don't mean to say you have a copy of catalina.jar in your
WEB-INF/lib. If so, remove it ;) There should only be one copy of that file
in Tomcat's server lib directory.
Yoav
Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Accessing a custom user principal from a JAAS Realm
Posted by Brad O'Hearne <br...@neurofire.com>.
Yoav,
Thanks for the reply. What version of Tomcat are you referring to? I am using
Tomcat 5.0.28. With regards to your code below, there is no
getUserPrincipal() method on the org.apache.catalina.realm.GenericPrincipal
class.
Furthermore, how's this for bizarre -- if I do an "instanceof" with the class
returned from request.getUserPrincipal(), and print it out, I get the
following:
Principal class is: org.apache.catalina.realm.GenericPrincipal
However, if I try to cast it to that class type in the very next line of code,
the code throws a ClassCastException. Very weird. The library I am using is
the catalina.jar sent with the code (which I happen to be packaging in my
WEB-INF/lib directory of my webapp.
Is it possible that there's another version of this class out there somewhere
in the Tomcat libraries, that's conflicting?
Brad
On Wednesday 19 October 2005 07:15 am, Yoav Shapira wrote:
> Hi,
> You'd need to cast as follows:
>
> Principal mydude = request.getUserPrincipal();
> if(mydude instanceof GenericPrincipal) {
> mydude = ((GenericPrincipal) mydude).getUserPrincpal();
> }
>
> Yoav
>
> --- Brad O'Hearne <br...@neurofire.com> wrote:
> > After several days of questions on the user mailing list surrounding
> > this issue, I received an answer today which I need to confirm with any
> > of the developers out there. Basically, I am using Tomcat 5.0.28, and
> > using the JAAS realm for authentication and authorization. In my JAAS
> > login module, I am setting the user principal as a custom Principal
> > implementation configured in server.xml. Here's my server.xml realm
> > setup:
> >
> > <Realm className="org.apache.catalina.realm.JAASRealm"
> > appName="imap"
> > userClassNames="com.redbarnsoftware.web.security.UserPrincipal"
> > roleClassNames="com.redbarnsoftware.web.security.RolePrincipal"
> > debug="99" />
> >
> > My authentication across my login module works just fine. But in my
> > subsequent servlets, when I invoke the request.getUserPrincipal()
> > method, I am not returned my user principal class type, but I am instead
> > returned a GenericPrincipal, and there's no way to get at my custom user
> > principal class.
> >
> > Someone on the user list said that though it should be supported,
> > retrieving custom user principals weren't supported for the JAAS realm.I
> > just wanted to confirm this with the developers, because its hard for me
> > to imagine how the Java platform's authentication / authorization API is
> > not fully supported in a mature app like Tomcat -- it sounded a little
> > weird to me. So if someone could confirm this, that would really help.
> >
> > Secondly, if it is in fact unsupported, I would like to inquire 1) if
> > this feature is planned and if so, when, and 2) what is required to
> > implement this in the present Tomcat architecture. I'd like to consider
> > adding this, as it is pretty much a the type of hole that can be a
> > deal-killer for Tomcat from a security standpoint.
> >
> > Thanks for your help.
> >
> > Cheers,
> >
> > Brad
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
>
> Yoav Shapira
> System Design and Management Fellow
> MIT Sloan School of Management
> Cambridge, MA, USA
> yoavs@computer.org / www.yoavshapira.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Accessing a custom user principal from a JAAS Realm
Posted by Yoav Shapira <yo...@apache.org>.
Hi,
You'd need to cast as follows:
Principal mydude = request.getUserPrincipal();
if(mydude instanceof GenericPrincipal) {
mydude = ((GenericPrincipal) mydude).getUserPrincpal();
}
Yoav
--- Brad O'Hearne <br...@neurofire.com> wrote:
> After several days of questions on the user mailing list surrounding
> this issue, I received an answer today which I need to confirm with any
> of the developers out there. Basically, I am using Tomcat 5.0.28, and
> using the JAAS realm for authentication and authorization. In my JAAS
> login module, I am setting the user principal as a custom Principal
> implementation configured in server.xml. Here's my server.xml realm setup:
>
> <Realm className="org.apache.catalina.realm.JAASRealm"
> appName="imap"
> userClassNames="com.redbarnsoftware.web.security.UserPrincipal"
> roleClassNames="com.redbarnsoftware.web.security.RolePrincipal"
> debug="99" />
>
> My authentication across my login module works just fine. But in my
> subsequent servlets, when I invoke the request.getUserPrincipal()
> method, I am not returned my user principal class type, but I am instead
> returned a GenericPrincipal, and there's no way to get at my custom user
> principal class.
>
> Someone on the user list said that though it should be supported,
> retrieving custom user principals weren't supported for the JAAS realm.I
> just wanted to confirm this with the developers, because its hard for me
> to imagine how the Java platform's authentication / authorization API is
> not fully supported in a mature app like Tomcat -- it sounded a little
> weird to me. So if someone could confirm this, that would really help.
>
> Secondly, if it is in fact unsupported, I would like to inquire 1) if
> this feature is planned and if so, when, and 2) what is required to
> implement this in the present Tomcat architecture. I'd like to consider
> adding this, as it is pretty much a the type of hole that can be a
> deal-killer for Tomcat from a security standpoint.
>
> Thanks for your help.
>
> Cheers,
>
> Brad
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org