> From: Workman, Joe [mailto:[EMAIL PROTECTED] > Subject: RE: Custom JAAS LoginModule not authorizing > GenericPrincipalroles > > After playing around I found that if I were to create > a second Principal with the username of the rolename, > everything worked as expected. This behavior is not > normal is it?
Well, sort of. I ended up creating two Principal sub-classes, one for users, the other for roles. > I feel that the JAASRealm should be able to find the > roles from the GenericPrincipal Class. Is there a bug > that I am not aware of here? Not a bug, but a disconnect between the JAAS and Servlet specs. Last time I checked, there was no recognition in the JAAS spec of the existence of "roles", but the Servlet spec depends on them for proper access control. Each container has to fill in the gap with its own specification, and the Tomcat developers chose to do it by having roles appear as JAAS Principals. Note the following in the Tomcat doc: "Although not specified in JAAS, you should create seperate classes to distinguish between users and roles, extending javax.security.Principal, so that Tomcat can tell which Principals returned from your login module are users and which are roles (see org.apache.catalina.realm.JAASRealm). Regardless, the first Principal returned is always treated as the user Principal." http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JAASRealm - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
