-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ambarish,
On 3/3/2009 7:57 AM, Ambarish Mitra wrote: > Goal: I have a web-app which I have protected with an external > authentication engine. To achieve this, I have written a custom valve which > sets a principal. I'm not sure you need a Valve. Why not just write a custom Realm (as you have done) and use that instead of one of the built-in Realms? > Here, I do not get the roles of the user, so the principal object is been > set without roles, and so, the authorization to the webapp is being denied > (although authentication is passed). > > I thought of writing a custom Realm to get the Principal and the associated > roles from tomcat, but I have difficulty/doubt in the custom realm. Code > snippet of my trial is below, but if anyone can provide a better solution > that would also be good. > > I tried to extend RealmBase and implement Realm class and override the > getPrincipal, getPassword and getUser methods. I do not wish to do any > authentication here, because the authentication is already done by the > external system. You also need to override the hasRole(Principal,String) method. If you really need /no/ authorization, then you can simply return 'true' from this method. You could also use the GenericPrincipal constructor which takes a list of role names and be sure to include any roles required by your application. What does your <security-constraint> look like in web.xml? If you haven't defined any roles in web.xml, you will need to set allRolesMode="strictAuthOnly" on your <Realm> element in your webapp's context.xml. Unfortunately, this attribute is not documented except in the Tomcat source code. Reference: http://www.mailinglistarchive.com/users@tomcat.apache.org/msg12579.html Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmtVngACgkQ9CaO5/Lv0PAtawCdFCVaDb+UtDqu+2n54RKOPxuD +bsAmgLmNZMC62MzUczEsHrfidZ8+x7e =e1Eq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
