Thank you very much for your response. Yes, I did want to dynamically update the roles. The reason I was hoping to do it without making the user re-enter the credentials is because due to some peculiarities of the application this may happen quite often (several times within a user's session), and is likely to get annoying.
I hear you about tinkering with the insides of Tomcat, though... I was hoping that I was missing something and there was a way to do it without overwriting SSO valve's behavior. There is no way to force re-authentication but make SSO use the cached credentials to re-authenticate and create a new GenericPrincipal object, is there? Pid-6 wrote: > > On 21/08/2009 19:31, nkrasnov wrote: >> >> Hi, >> >> I have several Tomcat webapps which use SSO and the same Realm for >> authentication. All is working as expected, except that I now need to >> update >> roles for the user that's already been authenticated in the past. I seem >> to >> be able to do it successfully for a given request (by calling >> LoginContect.login and switching the principals in the subject), but for >> all >> subsequent requests isUserInRole returns false for new roles. The way I >> understand it, this is happening because a GenericPrincipal object, which >> JAASRealm created in the initial authenticate call, holds a copy of the >> original role list, and so on all subsequent calls SSO valve puts that >> GenericPrincipal into request and its getRoles, which is called by >> isUserInRole, accordingly, always returns the original list of roles. Is >> there any way for me to get around this? I don't seem to have any ability >> to >> update the roles in this GenericPrincipal object once it's put into SSO >> cache... Or, if there is no way to update the roles, can I force >> re-authentication without making the user re-enter userid/password (we do >> have those stored in SSO cache, I believe)? > > So you want to dynamically update the user roles? > Is there a reason why you can't get the user to log out and back in? > > I'd guess that the effort of sending a message to the user suggesting > that they log out, will be less than tinkering with the insides of > Tomcat - things that could change with each release. > > Or you could use a servlet Filter to monitor a flag set in the session, > which then forces the session to invalidate & log the user out. > > p > >> Any help would be greatly appreciated. >> >> Thank you very much for your time, >> Natasha > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://www.nabble.com/Updating-Roles-for-a-logged-in-user-while-using-SingleSignOn-tp25085139p25107540.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org