"Wendy Smoak" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > From: "Bill Barker" <[EMAIL PROTECTED]> >> Custom Realms really aren't all that hard. You typically create a class >> that extends RealmBase >> (http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/realm/RealmBase.html, >> >> changing the '5.5' to the TC version you care about, unless it's 3.3 >> where the package is different). Then you override the >> 'getPassword(String)' (returns the db-password of the user), the >> 'getPrincipal(String)' (returns the userPrincipal for the user), and the >> 'getName()' (returns the name of the realm -- any identifying string). >> If you return anything but a o.a.c.realm.GenericPrincipal from >> getPrincipal, then you'll have to override the 'hasRole(Principal, >> String)' method as well. > > Thank you, that gives me a place to start. But I don't want to > _authenticate_ the user at all... that's done elsewhere (one of two > different places, actually,) and handled by a Filter. And yet I realize > that somehow Tomcat has to know who the user is. :/ > > If I create a realm and configure it, will I be able to circumvent the > user getting prompted for a userID and password? Can I (in the Filter) > place a GenericPrincipal object in the session under some key? I'm really > only after the programmatic security of isUserInRole(...) here, but would > like to stick to the standard way of doing things as much as possible. >
The Realm will populate the 'userRoles' only if they are accessing a protected page (one that is under a <security-contraint>), so it doesn't change prompting. And, no, a normal Filter can't set the userPrincipal, since that requires access to Tomcat internals. You could use a Valve, but it sounds like for what you want, you could simply wrap the HttpServletRequest in your Filter with a wrapper that overrides isUserInRole. If anything, this would be more 'the standard way', since then your app would also be portable to another Servlet Container. > -- > Wendy Smoak --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]