Hm! Thanks Adam - I guess that makes sense! Ok, so my two requirements for my authentication are 1) that I can load custom information into the session object and 2) that I support isUserInRole(). Realm authentication should take care of #2, but what can I do about #1 since I won't have any control over what happens at login?
-----Original Message----- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Friday, March 12, 2004 1:48 PM To: Tomcat Users List Subject: Re: JAAS: Where does role information go in a Subject? On 03/12/2004 06:44 PM Alan Weissman wrote: > I'm implementing a JAAS login mechanism in my app, not as a Realm but > via Struts Action classes. > > In my loginModule, I am creating the Subject with principals and > credentials and want to store role information. Where does Tomcat > expect a list of roles to be in the Subject? I Haven't been able to > figure this out. I want to make sure that in the future I can use > features that check request.isUserInRole(roleName). That would be messin' with the container-managed security, which isn't allowed according to the servlet spec. You can't mix & match your own login with the container-managed stuff, unless you're modifying tomcat source code. Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]