You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Darren Clarke <da...@aciddigital.com> on 2006/09/21 13:53:08 UTC
Custom Principal casting problem
Hi
Apologies in advance if I'm going over old ground here - I have spent
a day and a bit searching the web and have found people with the same
problem, but I'm not finding the solution anywhere...
I've created my own Tomcat Realm that performs custom
authentication. The various authenticate() and getPrinicipal()
methods return a custom principal. My custom principal implements a
custom interface, which in turn implements the standard Principal, i.e.:
package poc.security;
public interface I_TestPrincipal extends java.security.Principal
{ ... }
public class TestPrincipal implements I_TestPrincipal { ... }
Based on this, I can login to the website and authentication works
fully, as do the role checks (such as request.isUserInRole() called
from a JSP).
However, if I want my page to do anything with my custom principal, I
get a ClassCastException. So, for example, the following line will
fail:
((I_TestPrincipal) request.getUserPrincipal()).someCustomMethod()
The best notes I've found on the subject are those in the Tomcat Wiki
HowTo, and I think the most suitable of those suggestions is the
solution based on Common Interfaces.
So, I've partitioned my code such that:
JSPs/Servlets are in a WAR in $TOMCAT/webapps
Realm and Principal classes are in a JAR installed in $TOMCAT/server/
lib
Principal Interface is in a JAR in $TOMCAT/common/lib
If I understand the wiki correctly, this should work. However,
although my realm still works fully and authentication succeeds and
although my JSP can find/load the interface class, the cast
(I_TestPrincipal) request.getUserPrincipal()
still fails.
In case it helps, I'm running Tomcat 5.5.17 on Mac OS 10.4.7
Thanks in advance
Darren Clarke
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Custom Principal casting problem
Posted by Darren Clarke <da...@aciddigital.com>.
Hi Martin
Thanks for the speedy response.
Re there being no guarantee that the type I'm casting is of the
appropriate type, I was actually doing an instanceof test, that I
omitted to mention and which fails, i.e.
request.getUserPrincipal().getClass().toString() returns
"poc.security.TestPrincipal"
(request.getUserPrincipal() instanceof
poc.security.I_TestPrincipal returns false
However, taking up your second suggestion, I think I understand up to
a point. So I'd create:
public interface MyHttpServletRequest implements
javax.servlet.http.HttpServletRequest {...}
public class MyHttpServlet extends javax.servlet.http.HttpServlet {...}
Presumably my servlets then all extend MyHttpServlet, rather than
HttpServlet, but I don't see what I put in either my new class or
interface that differentiates them from their ancestors, or how my
new interface MyHttpServletRequest would get picked up and used by
Tomcat when calling my servlet's methods.
Actually, now I've written that, I have to take it back - I don't
think I understand at all ;-)
Sorry if I'm being thick.
Darren
On 21 Sep 2006, at 13:30, Martin Gainty wrote:
> Good Morning Darren-
> You can always downcast but upcasting is always problematic
> request.getUserPrincipal() returns the base class of
> java.security.Principal
> you are trying to upcast to your own derived class which is always
> dangerous since there is no
> guarantee the object you are passing is of type yourOwnDerivedClass
> You can either use classic request.getUserPrincipal() to return
> legacy javax.security.Principal
> OR
> you can implement your own interface MyHttpServletRequest from
> javax.servlet.http.HttpServletRequest
> then implement your own MyHttpServlet from
> javax.servlet.http.HttpServlet
> which then implements your own customised Interface
> MyHttpServletRequest
> comprenez?
> Martin --
> *********************************************************************
> This email message and any files transmitted with it contain
> confidential
> information intended only for the person(s) to whom this email
> message is
> addressed. If you have received this email message in error,
> please notify
> the sender immediately by telephone or email and destroy the original
> message without making a copy. Thank you.
>
>
>
> ----- Original Message -----
> From: "Darren Clarke" <da...@aciddigital.com>
> To: <us...@tomcat.apache.org>
> Sent: Thursday, September 21, 2006 7:53 AM
> Subject: Custom Principal casting problem
>
>
>> Hi
>>
>> Apologies in advance if I'm going over old ground here - I have spent
>> a day and a bit searching the web and have found people with the same
>> problem, but I'm not finding the solution anywhere...
>>
>> I've created my own Tomcat Realm that performs custom
>> authentication. The various authenticate() and getPrinicipal()
>> methods return a custom principal. My custom principal implements a
>> custom interface, which in turn implements the standard Principal,
>> i.e.:
>>
>> package poc.security;
>>
>> public interface I_TestPrincipal extends java.security.Principal
>> { ... }
>>
>> public class TestPrincipal implements I_TestPrincipal { ... }
>>
>>
>> Based on this, I can login to the website and authentication works
>> fully, as do the role checks (such as request.isUserInRole() called
>> from a JSP).
>>
>> However, if I want my page to do anything with my custom principal, I
>> get a ClassCastException. So, for example, the following line will
>> fail:
>>
>> ((I_TestPrincipal) request.getUserPrincipal()).someCustomMethod()
>>
>>
>> The best notes I've found on the subject are those in the Tomcat Wiki
>> HowTo, and I think the most suitable of those suggestions is the
>> solution based on Common Interfaces.
>>
>> So, I've partitioned my code such that:
>> JSPs/Servlets are in a WAR in $TOMCAT/webapps
>> Realm and Principal classes are in a JAR installed in $TOMCAT/server/
>> lib
>> Principal Interface is in a JAR in $TOMCAT/common/lib
>>
>> If I understand the wiki correctly, this should work. However,
>> although my realm still works fully and authentication succeeds and
>> although my JSP can find/load the interface class, the cast
>> (I_TestPrincipal) request.getUserPrincipal()
>> still fails.
>>
>>
>> In case it helps, I'm running Tomcat 5.5.17 on Mac OS 10.4.7
>>
>> Thanks in advance
>> Darren Clarke
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Custom Principal casting problem
Posted by Martin Gainty <mg...@hotmail.com>.
Good Morning Darren-
You can always downcast but upcasting is always problematic
request.getUserPrincipal() returns the base class of java.security.Principal
you are trying to upcast to your own derived class which is always dangerous since there is no
guarantee the object you are passing is of type yourOwnDerivedClass
You can either use classic request.getUserPrincipal() to return legacy javax.security.Principal
OR
you can implement your own interface MyHttpServletRequest from javax.servlet.http.HttpServletRequest
then implement your own MyHttpServlet from javax.servlet.http.HttpServlet
which then implements your own customised Interface MyHttpServletRequest
comprenez?
Martin --
*********************************************************************
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "Darren Clarke" <da...@aciddigital.com>
To: <us...@tomcat.apache.org>
Sent: Thursday, September 21, 2006 7:53 AM
Subject: Custom Principal casting problem
> Hi
>
> Apologies in advance if I'm going over old ground here - I have spent
> a day and a bit searching the web and have found people with the same
> problem, but I'm not finding the solution anywhere...
>
> I've created my own Tomcat Realm that performs custom
> authentication. The various authenticate() and getPrinicipal()
> methods return a custom principal. My custom principal implements a
> custom interface, which in turn implements the standard Principal, i.e.:
>
> package poc.security;
>
> public interface I_TestPrincipal extends java.security.Principal
> { ... }
>
> public class TestPrincipal implements I_TestPrincipal { ... }
>
>
> Based on this, I can login to the website and authentication works
> fully, as do the role checks (such as request.isUserInRole() called
> from a JSP).
>
> However, if I want my page to do anything with my custom principal, I
> get a ClassCastException. So, for example, the following line will
> fail:
>
> ((I_TestPrincipal) request.getUserPrincipal()).someCustomMethod()
>
>
> The best notes I've found on the subject are those in the Tomcat Wiki
> HowTo, and I think the most suitable of those suggestions is the
> solution based on Common Interfaces.
>
> So, I've partitioned my code such that:
> JSPs/Servlets are in a WAR in $TOMCAT/webapps
> Realm and Principal classes are in a JAR installed in $TOMCAT/server/
> lib
> Principal Interface is in a JAR in $TOMCAT/common/lib
>
> If I understand the wiki correctly, this should work. However,
> although my realm still works fully and authentication succeeds and
> although my JSP can find/load the interface class, the cast
> (I_TestPrincipal) request.getUserPrincipal()
> still fails.
>
>
> In case it helps, I'm running Tomcat 5.5.17 on Mac OS 10.4.7
>
> Thanks in advance
> Darren Clarke
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Custom Principal casting problem
Posted by Darren Clarke <da...@aciddigital.com>.
Sorry all - my bad.
Suggestion 3 in the WIKI (http://wiki.apache.org/tomcat/HowTo#head-
cb66e750a22dea34b56f508dd675ed3c2e2e221a) works perfectly as advertised.
For the archive, my problem was due to an old JAR lurking in server/
lib that I thought had gone, so my custom principal interface
(I_TestPrincipal in the example code below) was in both server/lib
and common/lib and therefore my custom Realm was actually loading
from server/lib instead of common/lib.
On 21 Sep 2006, at 12:53, Darren Clarke wrote:
> Hi
>
> Apologies in advance if I'm going over old ground here - I have
> spent a day and a bit searching the web and have found people with
> the same problem, but I'm not finding the solution anywhere...
>
> I've created my own Tomcat Realm that performs custom
> authentication. The various authenticate() and getPrinicipal()
> methods return a custom principal. My custom principal implements
> a custom interface, which in turn implements the standard
> Principal, i.e.:
>
> package poc.security;
>
> public interface I_TestPrincipal extends
> java.security.Principal { ... }
>
> public class TestPrincipal implements I_TestPrincipal { ... }
>
>
> Based on this, I can login to the website and authentication works
> fully, as do the role checks (such as request.isUserInRole() called
> from a JSP).
>
> However, if I want my page to do anything with my custom principal,
> I get a ClassCastException. So, for example, the following line
> will fail:
>
> ((I_TestPrincipal) request.getUserPrincipal()).someCustomMethod()
>
>
> The best notes I've found on the subject are those in the Tomcat
> Wiki HowTo, and I think the most suitable of those suggestions is
> the solution based on Common Interfaces.
>
> So, I've partitioned my code such that:
> JSPs/Servlets are in a WAR in $TOMCAT/webapps
> Realm and Principal classes are in a JAR installed in $TOMCAT/
> server/lib
> Principal Interface is in a JAR in $TOMCAT/common/lib
>
> If I understand the wiki correctly, this should work. However,
> although my realm still works fully and authentication succeeds and
> although my JSP can find/load the interface class, the cast
> (I_TestPrincipal) request.getUserPrincipal()
> still fails.
>
>
> In case it helps, I'm running Tomcat 5.5.17 on Mac OS 10.4.7
>
> Thanks in advance
> Darren Clarke
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org