Problem is, the GenericPrincipal class is in the Catalina jar, which is available to Tomcat as a native library but for me to make use of it, I'd have to include it in my web-app lib.
I was hoping to be container-agnostic and avoid any proprietary libraries, which is why I used JNDI and JAAS. I want to be able to hook into my security wrapper without necessarily going through Tomcat's security realm. So, my options are to include the Catalina jar in my context or create my own mappings between resources and roles. In the former case, I'll have a maintenance issue, because I'll have to ensure that the developers know that the jar needs to be kept in sync with the Tomcat environment. In the latter case, I'll be manually doing what Tomcat can do. However, if I am to be truly agnostic, that is what I should do anyway. Thanks for your help, Chris, it's been very valuable. Robin. -----Original Message----- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Monday, May 05, 2008 11:16 PM To: Tomcat Users List Subject: Re: JAAS authenticated user fails authorization check -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robin, Robin Coe wrote: | Thanks Chris, that must be it. Can't believe I missed that. | Unfortunately, this class is part of the Catalina codebase, which makes | it necessary to use a runtime check and invoking a GenericPrincipal | subclass when running inside Tomcat. I don't want to include the | Catalina jar or be dependent on running Tomcat exclusively. I don't understand. You shouldn't have to do any of that stuff... just extend GenericPrincipal and you should be good to go. | I find it strange that the code works by calling | request.isUserInRole(), when using a class that implements the Principal | interface, but fails when using declared roles. It's annoying that the | Tomcat docs don't mention the necessity of extending GenericPrincipal | when rolling your own implementation. That's because you generally don't roll your own half-implementation, which is what you've done, here. Tomcat expects its own implementation not to be subverted. Principal does not have an "isInRole" method, so it's got to come from somewhere else. Sorry! If you want complete control over authentication and authorization, you can check out securityfilter (http://securityfilter.sourceforge.net/), although you may find that you have to implement a lot of your own stuff if you really want a lot of control. You should be able to use Tomcat realms (including JAASRealm) along with it, though. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgfzXYACgkQ9CaO5/Lv0PCpmwCfUDA0PVnkAgDZCoQLnj8OLG8t 6HUAn1h8EgQthejlUtsaedZHjl4ajKwB =dqgf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]