You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alan Weissman <aw...@nyc.yamaha.com> on 2004/03/12 18:44:48 UTC
JAAS: Where does role information go in a Subject?
I'm implementing a JAAS login mechanism in my app, not as a Realm but
via Struts Action classes.
In my loginModule, I am creating the Subject with principals and
credentials and want to store role information. Where does Tomcat
expect a list of roles to be in the Subject? I Haven't been able to
figure this out. I want to make sure that in the future I can use
features that check request.isUserInRole(roleName).
Also, within the session object, should the Subject be cached under
'subject_key'? I found this somewhere but am unsure about it.
Thanks,
Alan
Re: JAAS: Where does role information go in a Subject?
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
On 03/12/2004 08:02 PM Alan Weissman wrote:
> Hm! Thanks Adam - I guess that makes sense! Ok, so my two requirements
> for my authentication are 1) that I can load custom information into the
> session object and 2) that I support isUserInRole(). Realm
> authentication should take care of #2, but what can I do about #1 since
> I won't have any control over what happens at login?
well you can put in a filter that checks for the user info in the
session and creates it when it isn't there.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: JAAS: Where does role information go in a Subject?
Posted by Alan Weissman <aw...@nyc.yamaha.com>.
Hm! Thanks Adam - I guess that makes sense! Ok, so my two requirements
for my authentication are 1) that I can load custom information into the
session object and 2) that I support isUserInRole(). Realm
authentication should take care of #2, but what can I do about #1 since
I won't have any control over what happens at login?
-----Original Message-----
From: Adam Hardy [mailto:ahardy.struts@cyberspaceroad.com]
Sent: Friday, March 12, 2004 1:48 PM
To: Tomcat Users List
Subject: Re: JAAS: Where does role information go in a Subject?
On 03/12/2004 06:44 PM Alan Weissman wrote:
> I'm implementing a JAAS login mechanism in my app, not as a Realm but
> via Struts Action classes.
>
> In my loginModule, I am creating the Subject with principals and
> credentials and want to store role information. Where does Tomcat
> expect a list of roles to be in the Subject? I Haven't been able to
> figure this out. I want to make sure that in the future I can use
> features that check request.isUserInRole(roleName).
That would be messin' with the container-managed security, which isn't
allowed according to the servlet spec. You can't mix & match your own
login with the container-managed stuff, unless you're modifying tomcat
source code.
Adam
--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: JAAS: Where does role information go in a Subject?
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
On 03/12/2004 06:44 PM Alan Weissman wrote:
> I'm implementing a JAAS login mechanism in my app, not as a Realm but
> via Struts Action classes.
>
> In my loginModule, I am creating the Subject with principals and
> credentials and want to store role information. Where does Tomcat
> expect a list of roles to be in the Subject? I Haven't been able to
> figure this out. I want to make sure that in the future I can use
> features that check request.isUserInRole(roleName).
That would be messin' with the container-managed security, which isn't
allowed according to the servlet spec. You can't mix & match your own
login with the container-managed stuff, unless you're modifying tomcat
source code.
Adam
--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org