You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Dhiraj Ramakrishnan <st...@gmail.com> on 2006/04/10 23:35:57 UTC

Can we set the User Principal to another user once a user has been logged in?

Hi,

      I know the requirement looks a little suspicious but they are valid,

      The requirements ,

           1. A user 'SUPERUSER', who can mimic the activities of any user
in the system.

          2.  So 'SUPERUSER' will log in and then pass in a request saying
that he wants to impersonate user 'X'

          3. Now 'SUPERUSER' will only have all the roles associated with
user 'X'

          4. When 'SUPERUSER' tries to impersonate 'X' , 'SUPERUSER' has
already been authenticated, so i should not ask for X's password from
'SUPERUSER'.

     Is it possible to have such a behaviour within TOMCAT ? One of the
easiest ways is to subsitute the user principal with 'X' once such a request
for impersonation comes in.

    What are the other ways in which i could induce such a behaviour ?

Thanks & Regards,

Dhiraj Ramakrishnan