Andy Armstrong wrote:
>
> Antony Bowesman wrote:
> >
> > Andy Armstrong wrote:
> > >
> > > Michael Jennings wrote:
> > > >
> > > > Thanks for the feedback!
> > > >
> > > > Does tomcat 3.2.2 currently support JAAS?
> > >
> > > Not in any explicit sense I think (anyone?),
> >
> > JAAS is not explicitly supported by tomcat. JAAS was only available
> > from JDK 1.3, supplied as an extension. JAAS is now merged into JDK1.4
> > but there is no explicit support for JAAS in the servlet API spec 2.3
> > although JAAS is graudually gaining momentum. There has to be some
> > reworking to the servlet spec (as well as EJB) to support the concept of
> > multiple Principals and the JAAS Subject.
>
> I've just been having a look at this. As you say it would be easy enough
> to implement a JAAS realm -- the main problem being how to provide
> access to the JAAS Subject. The cleanest route would seem to be just to
> expose the Subject directly by adding
>
> Subject getUserSubject()
>
> to HttpServletRequest() leaving the question of how to change the
> handling of Principals to reflect the fact that there can be more than
> one under JAAS.
Exactly, I would hope that this is how it will be exposed in Servlet and
EJB specs with getUser/CallerPrincipal being deprecated in favour of
getUser/CallerSubject.
Another issue is how roles work. The current isUser/CallerInRole
methods are rather simple. Mapping realm roles to application roles
needs to be addresses, I see that Alex Roytman's mail to user group
allows for a role mapping class to map from user realm roles to the J2EE
roles in the servlet spec. I also have the same concept with my JAAS
realm so that user realm roles can be mapped to J2EE String roles based
on the web app context. It seems to make sense that roles would be
incorporated as Principals inside the Subject so they could then be used
inside JAAS authorization.
Antony
