Re: Admin password for Tomcat

Sun, 05 Nov 2023 09:55:07 -0800 


On 11/5/2023 9:26 AM, Christopher Schultz wrote:

Jerry,

On 11/4/23 20:17, Jerry Malcolm wrote:

My support team needs to be able to log in to our site as various 
users (on behalf of...) to be able to see exactly what they are 
seeing since roles, access groups, history is different for different 
users.  I would like to implement an admin password where I can log 
in as any userId with this password.  I totally realize the security 
risks involved in this.  But I am handling the security risks with 
additional authorizations.  I simply need to make every user have two 
passwords... their real personal password, and the admin password.  
The only alternative I have right now is to save off the user's 
password hash in the USERS table, replace it with my password hash, 
then restore the user's original password when I'm done.  I'm not 
thrilled with that solution first because it's a pain and error 
prone, and also because the user can no longer log in while their 
password is replaced with my password.



  I figure this function is buried in the authenticator code 
somewhere. But I'd first like to see if anybody has done anything 
like this already.  If not, could somebody point me in the right 
direction to the tomcat source file that I'm going to need to modify 
and also what's involved in making authentication use my updated 
class instead of the default.


Suggestions?



This sounds like "impersonation" to me, which, I think, can be done 
differently. If you are indeed describing an X-Y problem above, then 
might I suggest the following?



Instead of figuring out how to "add" a second password to a user, what 
about allowing you to login as e.g. "jerry" and then assume the 
identity of the user "tom"? You should be able to do this by changing 
the UserPrincipal in the session to have a different username.



Which application are you trying to do this with? Your own 
application, or one which ships with Tomcat (e.g. Manager)?


-chris



Hi Chris, it's my own webapp.  Changing user principal is exactly what 
I'm trying to do.  I wasn't aware that the user principal could be 
easily swapped.  Where can I learn more about how to do that?




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to