You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Shivaraj Tenginakai <ts...@gmail.com> on 2006/12/08 19:23:34 UTC
Support for JAAS credentials
Hi All,
The current JAAS based authentication in Tomcat (6.0.2) , has no means of
manipulating the associated credentials. This prevents an application from
specifying more complex security policies. For example, timing out the roles
independent of the session timeout.
A very simple fix would be to make the subject object accessible from the
session object. Once could then, for example, use a valve to enforce custom
security policies.
Though not part of servlet specification (from what I can tell), are there
any strong reasons for not supporting this feature.
Thanks much,
Shivaraj
Re: Support for JAAS credentials
Posted by Mark Thomas <ma...@apache.org>.
Shivaraj Tenginakai wrote:
> I have an outline implementation, that by extending FormAuthenticator,
> allows for (more) complete JAAS support in Tomcat. From what I can tell
> using Google, it could be useful for others too.
>
> I would appreciate, if I can be pointed towards the RFC process, for
> gauging
> the usefulness of the change for future Tomcat releases.
Create a bug report with severity of enhancement.
Your bug report description should be concise and include a use case,
description of the new functionality and an explanation of any new
configuration options.
Your patch proposed should be attached to the bug report. Please use
diff -u format please and generate the patch against the latest
release or, even better, SVN trunk.
Regards,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Support for JAAS credentials
Posted by Shivaraj Tenginakai <ts...@gmail.com>.
I have an outline implementation, that by extending FormAuthenticator,
allows for (more) complete JAAS support in Tomcat. From what I can tell
using Google, it could be useful for others too.
I would appreciate, if I can be pointed towards the RFC process, for gauging
the usefulness of the change for future Tomcat releases.
Thanks,
Shivaraj
On 12/8/06, Shivaraj Tenginakai <ts...@gmail.com> wrote:
>
> Hi All,
>
> The current JAAS based authentication in Tomcat (6.0.2) , has no means of
> manipulating the associated credentials. This prevents an application from
> specifying more complex security policies. For example, timing out the roles
> independent of the session timeout.
>
> A very simple fix would be to make the subject object accessible from the
> session object. Once could then, for example, use a valve to enforce custom
> security policies.
>
> Though not part of servlet specification (from what I can tell), are there
> any strong reasons for not supporting this feature.
>
> Thanks much,
>
> Shivaraj
>
>