Custom Realms really aren't all that hard. You typically create a class that extends RealmBase (http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/realm/RealmBase.html, changing the '5.5' to the TC version you care about, unless it's 3.3 where the package is different). Then you override the 'getPassword(String)' (returns the db-password of the user), the 'getPrincipal(String)' (returns the userPrincipal for the user), and the 'getName()' (returns the name of the realm -- any identifying string). If you return anything but a o.a.c.realm.GenericPrincipal from getPrincipal, then you'll have to override the 'hasRole(Principal, String)' method as well.
Thank you, that gives me a place to start. But I don't want to _authenticate_ the user at all... that's done elsewhere (one of two different places, actually,) and handled by a Filter. And yet I realize that somehow Tomcat has to know who the user is. :/
If I create a realm and configure it, will I be able to circumvent the user getting prompted for a userID and password? Can I (in the Filter) place a GenericPrincipal object in the session under some key? I'm really only after the programmatic security of isUserInRole(...) here, but would like to stick to the standard way of doing things as much as possible.
--
Wendy Smoak
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
