Thank you very much for your response. 

Yes, I did want to dynamically update the roles.  The reason I was hoping to
do it without making the user re-enter the credentials is because due to
some peculiarities of the application this may happen quite often (several
times within a user's session), and is likely to get annoying.

I hear you about tinkering with the insides of Tomcat, though...  I was
hoping that I was missing something and there was a way to do it without
overwriting SSO valve's behavior.  There is no way to force
re-authentication but make SSO use the cached credentials to re-authenticate
and create a new GenericPrincipal object, is there?


Pid-6 wrote:
> 
> On 21/08/2009 19:31, nkrasnov wrote:
>>
>> Hi,
>>
>> I have several Tomcat webapps which use SSO and the same Realm for
>> authentication. All is working as expected, except that I now need to
>> update
>> roles for the user that's already been authenticated in the past. I seem
>> to
>> be able to do it successfully for a given request (by calling
>> LoginContect.login and switching the principals in the subject), but for
>> all
>> subsequent requests isUserInRole returns false for new roles. The way I
>> understand it, this is happening because a GenericPrincipal object, which
>> JAASRealm created in the initial authenticate call, holds a copy of the
>> original role list, and so on all subsequent calls SSO valve puts that
>> GenericPrincipal into request and its getRoles, which is called by
>> isUserInRole, accordingly, always returns the original list of roles. Is
>> there any way for me to get around this? I don't seem to have any ability
>> to
>> update the roles in this GenericPrincipal object once it's put into SSO
>> cache... Or, if there is no way to update the roles, can I force
>> re-authentication without making the user re-enter userid/password (we do
>> have those stored in SSO cache, I believe)?
> 
> So you want to dynamically update the user roles?
> Is there a reason why you can't get the user to log out and back in?
> 
> I'd guess that the effort of sending a message to the user suggesting 
> that they log out, will be less than tinkering with the insides of 
> Tomcat - things that could change with each release.
> 
> Or you could use a servlet Filter to monitor a flag set in the session, 
> which then forces the session to invalidate & log the user out.
> 
> p
> 
>> Any help would be greatly appreciated.
>>
>> Thank you very much for your time,
>> Natasha
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Updating-Roles-for-a-logged-in-user-while-using-SingleSignOn-tp25085139p25107540.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to