Re: application-managed security model and isUserInRole getRemoteUser

Fri, 12 Oct 2007 06:30:25 -0700
----- Original Message ----- From: "Stephen More" <[EMAIL PROTECTED]> 
To: <users@tomcat.apache.org>
Sent: Friday, October 12, 2007 2:35 PM
Subject: application-managed security model and isUserInRole getRemoteUser



If I implement application-managed security ( I need to use cookies
for "Remember Me" ), is there a way to make it such that
HttpServletRequest.getRemoteUser()  and
HttpServletRequest.isUserInRole(java.lang.String role) will respond
with values from the actual logged in user ?


Stephen... dont really understand what you asking?
The mechanics (if I remember correctly) are all linked to the session (remember me) anyway? So as soon as you use TC's (web.xml) protection, TC greats a session and then associates that with the authentication... so if the browser then comes into say another servlet, TC will via the session tell you that getRemoteUser() is TheBrowserUser if they have been authenticated, 
and you can query the roles they in?
There is no way to get the collection of roles... but if you protecting access to an application, you will know which roles to check against? 

I think I'm missing what it is you trying to do?


I see an old thread from 2001 (
http://mail-archives.apache.org/mod_mbox/struts-dev/200108.mbox/[EMAIL 
PROTECTED]
) In servlet 2.3, you can legally wrap a request (or response, for
that
matter, but it's request that matters for this purpose) before handing it
on via RequestDispatcher.  Indeed, you can set up a Filter that gets
control before the servlet does and plays the same game.  Therefore, you
can modify what isUserInRole() or getUserPrincipal() will return to the
called servlet.


Now that it is 2007, is the Filter + RequestDispatcher still the way
to implement this or is there a better way ? Is there an example of
this somewhere out there ?


Other options I am thinking of:
   - write my own Realm implementation ??
   - stick with container-based security and find a way to make
cookies for "Remember Me" work.

-Thanks
Steve More

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to