You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Darren Clarke <da...@aciddigital.com> on 2006/09/21 13:53:08 UTC

Custom Principal casting problem

Hi

Apologies in advance if I'm going over old ground here - I have spent  
a day and a bit searching the web and have found people with the same  
problem, but I'm not finding the solution anywhere...

I've created my own Tomcat Realm that performs custom  
authentication.  The various authenticate() and getPrinicipal()  
methods return a custom principal.  My custom principal implements a  
custom interface, which in turn implements the standard Principal, i.e.:

     package poc.security;

     public interface I_TestPrincipal extends java.security.Principal  
{ ... }

     public class TestPrincipal implements I_TestPrincipal { ... }


Based on this, I can login to the website and authentication works  
fully, as do the role checks (such as request.isUserInRole() called  
from a JSP).

However, if I want my page to do anything with my custom principal, I  
get a ClassCastException.  So, for example, the following line will  
fail:

     ((I_TestPrincipal) request.getUserPrincipal()).someCustomMethod()


The best notes I've found on the subject are those in the Tomcat Wiki  
HowTo, and I think the most suitable of those suggestions is the  
solution based on Common Interfaces.

So, I've partitioned my code such that:
	JSPs/Servlets are in a WAR in $TOMCAT/webapps
	Realm and Principal classes are in a JAR installed in $TOMCAT/server/ 
lib
	Principal Interface is in a JAR in $TOMCAT/common/lib

If I understand the wiki correctly, this should work.  However,  
although my realm still works fully and authentication succeeds and  
although my JSP can find/load the interface class, the cast
	(I_TestPrincipal) request.getUserPrincipal()
still fails.


In case it helps, I'm running Tomcat 5.5.17 on Mac OS 10.4.7

Thanks in advance
Darren Clarke


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Custom Principal casting problem

Posted by Darren Clarke <da...@aciddigital.com>.

Hi Martin

Thanks for the speedy response.

Re there being no guarantee that the type I'm casting is of the  
appropriate type, I was actually doing an instanceof test, that I  
omitted to mention and which fails, i.e.

	request.getUserPrincipal().getClass().toString()   returns    
"poc.security.TestPrincipal"

	(request.getUserPrincipal() instanceof  
poc.security.I_TestPrincipal   returns   false


However, taking up your second suggestion, I think I understand up to  
a point.  So I'd create:

	public interface MyHttpServletRequest  implements  
javax.servlet.http.HttpServletRequest {...}

	public class MyHttpServlet extends javax.servlet.http.HttpServlet {...}

Presumably my servlets then all extend MyHttpServlet, rather than  
HttpServlet, but I don't see what I put in either my new class or  
interface that differentiates them from their ancestors, or how my  
new interface MyHttpServletRequest would get picked up and used by  
Tomcat when calling my servlet's methods.


Actually, now I've written that, I have to take it back - I don't  
think I understand at all ;-)

Sorry if I'm being thick.
Darren



On 21 Sep 2006, at 13:30, Martin Gainty wrote:

> Good Morning Darren-
> You can always downcast but upcasting is always problematic
> request.getUserPrincipal() returns the base class of  
> java.security.Principal
> you are trying to upcast to your own derived class which is always  
> dangerous since there is no
> guarantee the object you are passing is of type yourOwnDerivedClass
> You can either use classic request.getUserPrincipal() to return  
> legacy javax.security.Principal
> OR
> you can implement your own interface MyHttpServletRequest from  
> javax.servlet.http.HttpServletRequest
> then implement your own MyHttpServlet from  
> javax.servlet.http.HttpServlet
> which then implements your own customised Interface  
> MyHttpServletRequest
> comprenez?
> Martin --
> *********************************************************************
> This email message and any files transmitted with it contain  
> confidential
> information intended only for the person(s) to whom this email  
> message is
> addressed.  If you have received this email message in error,  
> please notify
> the sender immediately by telephone or email and destroy the original
> message without making a copy.  Thank you.
>
>
>
> ----- Original Message -----
> From: "Darren Clarke" <da...@aciddigital.com>
> To: <us...@tomcat.apache.org>
> Sent: Thursday, September 21, 2006 7:53 AM
> Subject: Custom Principal casting problem
>
>
>> Hi
>>
>> Apologies in advance if I'm going over old ground here - I have spent
>> a day and a bit searching the web and have found people with the same
>> problem, but I'm not finding the solution anywhere...
>>
>> I've created my own Tomcat Realm that performs custom
>> authentication.  The various authenticate() and getPrinicipal()
>> methods return a custom principal.  My custom principal implements a
>> custom interface, which in turn implements the standard Principal,  
>> i.e.:
>>
>>     package poc.security;
>>
>>     public interface I_TestPrincipal extends java.security.Principal
>> { ... }
>>
>>     public class TestPrincipal implements I_TestPrincipal { ... }
>>
>>
>> Based on this, I can login to the website and authentication works
>> fully, as do the role checks (such as request.isUserInRole() called
>> from a JSP).
>>
>> However, if I want my page to do anything with my custom principal, I
>> get a ClassCastException.  So, for example, the following line will
>> fail:
>>
>>     ((I_TestPrincipal) request.getUserPrincipal()).someCustomMethod()
>>
>>
>> The best notes I've found on the subject are those in the Tomcat Wiki
>> HowTo, and I think the most suitable of those suggestions is the
>> solution based on Common Interfaces.
>>
>> So, I've partitioned my code such that:
>> JSPs/Servlets are in a WAR in $TOMCAT/webapps
>> Realm and Principal classes are in a JAR installed in $TOMCAT/server/
>> lib
>> Principal Interface is in a JAR in $TOMCAT/common/lib
>>
>> If I understand the wiki correctly, this should work.  However,
>> although my realm still works fully and authentication succeeds and
>> although my JSP can find/load the interface class, the cast
>> (I_TestPrincipal) request.getUserPrincipal()
>> still fails.
>>
>>
>> In case it helps, I'm running Tomcat 5.5.17 on Mac OS 10.4.7
>>
>> Thanks in advance
>> Darren Clarke
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Custom Principal casting problem

Posted by Martin Gainty <mg...@hotmail.com>.

Good Morning Darren-
You can always downcast but upcasting is always problematic
request.getUserPrincipal() returns the base class of java.security.Principal
you are trying to upcast to your own derived class which is always dangerous since there is no
guarantee the object you are passing is of type yourOwnDerivedClass
You can either use classic request.getUserPrincipal() to return legacy javax.security.Principal 
OR
you can implement your own interface MyHttpServletRequest from javax.servlet.http.HttpServletRequest
then implement your own MyHttpServlet from javax.servlet.http.HttpServlet
which then implements your own customised Interface MyHttpServletRequest
comprenez?
Martin --
*********************************************************************
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed.  If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy.  Thank you.



----- Original Message ----- 
From: "Darren Clarke" <da...@aciddigital.com>
To: <us...@tomcat.apache.org>
Sent: Thursday, September 21, 2006 7:53 AM
Subject: Custom Principal casting problem


> Hi
> 
> Apologies in advance if I'm going over old ground here - I have spent  
> a day and a bit searching the web and have found people with the same  
> problem, but I'm not finding the solution anywhere...
> 
> I've created my own Tomcat Realm that performs custom  
> authentication.  The various authenticate() and getPrinicipal()  
> methods return a custom principal.  My custom principal implements a  
> custom interface, which in turn implements the standard Principal, i.e.:
> 
>     package poc.security;
> 
>     public interface I_TestPrincipal extends java.security.Principal  
> { ... }
> 
>     public class TestPrincipal implements I_TestPrincipal { ... }
> 
> 
> Based on this, I can login to the website and authentication works  
> fully, as do the role checks (such as request.isUserInRole() called  
> from a JSP).
> 
> However, if I want my page to do anything with my custom principal, I  
> get a ClassCastException.  So, for example, the following line will  
> fail:
> 
>     ((I_TestPrincipal) request.getUserPrincipal()).someCustomMethod()
> 
> 
> The best notes I've found on the subject are those in the Tomcat Wiki  
> HowTo, and I think the most suitable of those suggestions is the  
> solution based on Common Interfaces.
> 
> So, I've partitioned my code such that:
> JSPs/Servlets are in a WAR in $TOMCAT/webapps
> Realm and Principal classes are in a JAR installed in $TOMCAT/server/ 
> lib
> Principal Interface is in a JAR in $TOMCAT/common/lib
> 
> If I understand the wiki correctly, this should work.  However,  
> although my realm still works fully and authentication succeeds and  
> although my JSP can find/load the interface class, the cast
> (I_TestPrincipal) request.getUserPrincipal()
> still fails.
> 
> 
> In case it helps, I'm running Tomcat 5.5.17 on Mac OS 10.4.7
> 
> Thanks in advance
> Darren Clarke
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
>

Re: Custom Principal casting problem

Posted by Darren Clarke <da...@aciddigital.com>.

Sorry all - my bad.

Suggestion 3 in the WIKI (http://wiki.apache.org/tomcat/HowTo#head- 
cb66e750a22dea34b56f508dd675ed3c2e2e221a) works perfectly as advertised.

For the archive, my problem was due to an old JAR lurking in server/ 
lib that I thought had gone, so my custom principal interface  
(I_TestPrincipal in the example code below) was in both server/lib  
and common/lib and therefore my custom Realm was actually loading  
from server/lib instead of common/lib.



On 21 Sep 2006, at 12:53, Darren Clarke wrote:

> Hi
>
> Apologies in advance if I'm going over old ground here - I have  
> spent a day and a bit searching the web and have found people with  
> the same problem, but I'm not finding the solution anywhere...
>
> I've created my own Tomcat Realm that performs custom  
> authentication.  The various authenticate() and getPrinicipal()  
> methods return a custom principal.  My custom principal implements  
> a custom interface, which in turn implements the standard  
> Principal, i.e.:
>
>     package poc.security;
>
>     public interface I_TestPrincipal extends  
> java.security.Principal { ... }
>
>     public class TestPrincipal implements I_TestPrincipal { ... }
>
>
> Based on this, I can login to the website and authentication works  
> fully, as do the role checks (such as request.isUserInRole() called  
> from a JSP).
>
> However, if I want my page to do anything with my custom principal,  
> I get a ClassCastException.  So, for example, the following line  
> will fail:
>
>     ((I_TestPrincipal) request.getUserPrincipal()).someCustomMethod()
>
>
> The best notes I've found on the subject are those in the Tomcat  
> Wiki HowTo, and I think the most suitable of those suggestions is  
> the solution based on Common Interfaces.
>
> So, I've partitioned my code such that:
> 	JSPs/Servlets are in a WAR in $TOMCAT/webapps
> 	Realm and Principal classes are in a JAR installed in $TOMCAT/ 
> server/lib
> 	Principal Interface is in a JAR in $TOMCAT/common/lib
>
> If I understand the wiki correctly, this should work.  However,  
> although my realm still works fully and authentication succeeds and  
> although my JSP can find/load the interface class, the cast
> 	(I_TestPrincipal) request.getUserPrincipal()
> still fails.
>
>
> In case it helps, I'm running Tomcat 5.5.17 on Mac OS 10.4.7
>
> Thanks in advance
> Darren Clarke
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org