Hi,
I'm not sure wether this has been discussed before, but I'm wondering wether
theres any reason why the CoyotePrincipal class couldnt be extended to
maintain a list of roles, similiar to what is now done with the
GenericPrincipal in the catalina realm package.
I have a scenario at the moment where I'm using tomcat with IIS/Apache
sitting in front of it so that I can take advantage of integrated windows
authentication (For Apache I use mod_auth_sspi). This works fine for simple
apps that only have a default application role.
In the case where I need to use role based security with the roles being
equal to nt domain groups, I was lucky in that ActiveDirectory is used to
authenticate the network logons with meant all I had todo was extend the
existing JNDIRealm and override the hasRole method so it read the role
information from ActiveDirectory. My realm is only used for role info only,
not authentication (As the web server has already done that) so in
overridden hasRole method, the passed in Principal is of type
CoyotePrincipal. I can read my role information fine but the issue I'm
having is that since the CoyotePrincipal cannot hold roles, I have two
options:
1. Everytime the hasRole method is invoked by the container, reread the
roles from Active Directory.
2. Using the SessionManager which is available via the Realms manager,
iterate through each active session and find the one this principal is for.
The principal is not associated with a session (only a request), so how can
i determine the current session for the current principal? One way I have
gotten around this is to create a custom valve implementation which
intercepts the request, and takes the username from the request and places
into a session attribute so i can match sessions and principals but this is
a hack.
If the CoyotePrincipal has a way to hold onto role information like the
other principals then this would solve the problems I currently have.
If anyone has some other ideas please let me know.
Thanks
Rob
