You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Shivaraj Tenginakai <ts...@gmail.com> on 2006/12/08 19:23:34 UTC

Support for JAAS credentials

Hi All,

The current JAAS based authentication in Tomcat (6.0.2) , has no means of
manipulating the associated credentials. This prevents an application from
specifying more complex security policies. For example, timing out the roles
independent of the session timeout.

A very simple fix would be to make the subject object accessible from the
session object. Once could then, for example, use a valve to enforce custom
security policies.

Though not part of servlet specification (from what I can tell), are there
any strong reasons for not supporting this feature.

Thanks much,

Shivaraj

Re: Support for JAAS credentials

Posted by Mark Thomas <ma...@apache.org>.

Shivaraj Tenginakai wrote:
> I have an outline implementation, that by extending FormAuthenticator,
> allows for (more) complete JAAS support in Tomcat. From what I can tell
> using Google, it could be useful for others too.
> 
> I would appreciate, if I can be pointed towards the RFC process, for
> gauging
> the usefulness of the change for future Tomcat releases.

Create a bug report with severity of enhancement.

Your bug report description should be concise and include a use case,
description of the new functionality and an explanation of any new
configuration options.

Your patch proposed should be attached to the bug report. Please use
diff -u format please and generate the patch against the latest
release or, even better, SVN trunk.

Regards,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Support for JAAS credentials

Posted by Shivaraj Tenginakai <ts...@gmail.com>.

I have an outline implementation, that by extending FormAuthenticator,
allows for (more) complete JAAS support in Tomcat. From what I can tell
using Google, it could be useful for others too.

I would appreciate, if I can be pointed towards the RFC process, for gauging
the usefulness of the change for future Tomcat releases.

Thanks,

Shivaraj

On 12/8/06, Shivaraj Tenginakai <ts...@gmail.com> wrote:
>
> Hi All,
>
> The current JAAS based authentication in Tomcat (6.0.2) , has no means of
> manipulating the associated credentials. This prevents an application from
> specifying more complex security policies. For example, timing out the roles
> independent of the session timeout.
>
> A very simple fix would be to make the subject object accessible from the
> session object. Once could then, for example, use a valve to enforce custom
> security policies.
>
> Though not part of servlet specification (from what I can tell), are there
> any strong reasons for not supporting this feature.
>
> Thanks much,
>
> Shivaraj
>
>