Hi there,
are there other comments on that? I'd like to implement this and want to
provide a CR On GitHub, if there is a fair chance, that this enhancement
will make it into Tomcat :)
Trying to summarize what has been discussed so far: (read the other
posts for more information)
The basic idea is to obtain additional user attributes and providing
these to the application through an "attributes" map of the Principal
class (e. g. the user's display name, e-mail address, etc.).
Since such user (-related) data is often available in data stores also
used for authentication, it shall be up to the Realm to query these
extra attributes. (Additionally, the Realm already has access data and
credentials to access that data store and also creates and populates the
Principal instance.)
The provided extra user information is not crucial for the Realm and its
authentication and authorization process.
Olaf Kock was suggesting to agree upon a set of "standard" additional
user attributes, which the Realm should query for by default. However,
for at least these reasons, I believe that this is just not possible:
1. Every application's needs are different
2. Every user data store is different
3. Cultural differences may require different attributes to form names
or addresses, for example
In contrast to that, my initial idea was to specify the desired extra
user attributes as a comma separated list though a new configuration
option of the Realm (called "extraAttributes" or "userAttributes"). This
list is nearly equivalent to a SELECT clause in SQL. However, that
"SELECT clause" shall work as well with Realms not based on SQL.
Not all Realms can/shall support that optional new feature. For example,
JAASRealm, which is merely a wrapper around an arbitrary authentication
and authorization process behind the curtain, likely cannot participate
in this.
The queried attributes shall be provided to the application through a
new "attributes" map of the Principal instance. Accessors to this map
should be declared in either TomcatPrincipal or GenericPrincipal. Still
to discuss, what accessors to implement:
Map<String, Object> getUserAttributesMap() {}
vs.
Object getUserAttribute(String name)
String[] getUserAttributeNames()
void setUserAttribute(String name, Object o)
void removeUserAttribute(String name)
The attribute names specified in the configuration option (SELECT
clause) must be the actual field names of the attribute, of course.
These also form the names/keys of the attributes in the Principal's
attribute map (could/should be prefixed with a namespace or prefix):
Realm-Configuration:
userAttributes="attr1, displayName, dept_no"
Using the attributes:
String s1 = principal.getUserAttribute("attr1")
// with a namespace/prefix (configurable and with a default value?)
String s2 = principal.getUserAttribute("realm.usrattr.displayName")
I believe that implementing the discussed enhancement is not too
difficult, since only (some of) the Realm classes as well as the
Principal implementation must be modified (TomcatPrincipal and/or
GenericPrincipal). Also, I do not see any security related risks.
Carsten
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
