I have an outline implementation, that by extending FormAuthenticator, allows for (more) complete JAAS support in Tomcat. From what I can tell using Google, it could be useful for others too.
I would appreciate, if I can be pointed towards the RFC process, for gauging the usefulness of the change for future Tomcat releases. Thanks, Shivaraj On 12/8/06, Shivaraj Tenginakai <[EMAIL PROTECTED]> wrote:
Hi All, The current JAAS based authentication in Tomcat (6.0.2) , has no means of manipulating the associated credentials. This prevents an application from specifying more complex security policies. For example, timing out the roles independent of the session timeout. A very simple fix would be to make the subject object accessible from the session object. Once could then, for example, use a valve to enforce custom security policies. Though not part of servlet specification (from what I can tell), are there any strong reasons for not supporting this feature. Thanks much, Shivaraj
