Jerry,
> Am 05.11.2023 um 02:34 schrieb Brian Wolfe <wolfebrian2...@gmail.com>: > > You need to build a custom realm for that if you're using tomcat to manage > your user sessions and not creating your own sessions for your application. > You can extend the existing one that you're using. I assume you're using > the JDBC Realm since you said you have an USERS table. So you could add > another field to your table and extend the JDBC class to do an additional > check on your admin pwd field if you don't want them to have a second > account. > > https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html#Standard_Realm_Implementations > > You will want to look at the source of the realm implementation to see how > you need to extend it. So you shouldn't have to do too much to get the > functionality you're looking for. > >> On Sat, Nov 4, 2023 at 8:18 PM Jerry Malcolm <techst...@malcolms.com> wrote: >> >> My support team needs to be able to log in to our site as various users >> (on behalf of...) to be able to see exactly what they are seeing since >> roles, access groups, history is different for different users. I would >> like to implement an admin password where I can log in as any userId >> with this password. I totally realize the security risks involved in >> this. But I am handling the security risks with additional >> authorizations. Back in the days when we had this requirement, we implemented an "admin tool" where we had the admin user login as themselves and then pick the user they wanted to see. At this time the password check was simply skipped. No fiddling with the password table, no security flaws as the admin tool was not available to the public. >> I simply need to make every user have two passwords... >> their real personal password, and the admin password. The only >> alternative I have right now is to save off the user's password hash in >> the USERS table, replace it with my password hash, then restore the >> user's original password when I'm done. I'm not thrilled with that >> solution first because it's a pain and error prone, and also because the >> user can no longer log in while their password is replaced with my >> password. >> >> I figure this function is buried in the authenticator code somewhere. >> But I'd first like to see if anybody has done anything like this >> already. If not, could somebody point me in the right direction to the >> tomcat source file that I'm going to need to modify and also what's >> involved in making authentication use my updated class instead of the >> default. >> >> Suggestions? >> Would that be a solution? Peter >> Thx >> >> Jerry >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > -- > Thanks, > Brian Wolfe > https://www.linkedin.com/in/brian-wolfe-3136425a/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
