On Mon, 12 Aug 2002, Per Kreipke wrote:
> Date: Mon, 12 Aug 2002 13:11:56 -0400
> From: Per Kreipke <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: RE: [Q] Realms, Principals, et al...
>
> > > Q1:
> > > ===
> > >
> > > If GenericPrincipal isn't available from webapps, is there
> > another way to
> > > get at the complete list of roles for a given user and their password?
> > >
> >
> > Not from a webapp through a portable API. What you see (isUserInRole())
> > is what you get.
> >
> > However, properly configured web.xml files will have <security-role>
> > elements for all of the role names that are referenced by that webapp, so
> > you might try reading them (by parsing /WEB-INF/web.xml) and trying all of
> > those names through isUserInRole(). Of course, that doesn't help you if
> > the webapp doesn't define them all ...
>
> ... or if the set of all roles is dynamic, a shortfall of the declarative
> servlet security API.
>
If the roles are dynamic, how is it that anyone believes it is possible to
enumerate "the" set of roles for a given user?
> > > I need the complete list of roles for the current user and password to
> > > implement a connector from Cocoon authentication to the container
> > > authentication.
> > >
> >
> > It's not at all clear to me that every possible Realm implementation will
> > be able to articulate such a list -- or that the list won't change over
> > time. For example, it's perfectly feasible to implement a Realm that says
> > "user Joe has this role, but only from 8am to 5pm on weekdays". It sounds
> > like the Cocoon folks might want to do a little more thinking about their
> > design.
>
> I don't know that it's their mistake, I'm just talking about wrapping the
> GenericPrincipal class.
GenericPrincipal is an internal implementation detail for how the existing
Realms implement things. It is not part of the public API that Tomcat
exposes to a webapp. There is no guarantee that any other container
creates something like this that has the roles built in to the Principal
object itself.
> Isn't it true that you can't do that from _any_
> webapp, much less Cocoon. E.g. given any of the current Tomcat Realms, how
> could you do your 'Joe' example?
>
Implementing time-sensitive permissions would actually be pretty easy -
subclass the Realm implementation that talks to the right kind of
persistent store, and add logic in its hasRole() method to return "false"
outside the allowed times, even if the role is listed in the
GenericPrincipal instance. Obviously, you'd want to add more information
to the database (or whatever) containing the user information, but that's
all internal implementation stuff.
If you're following what's going on with Tomcat 5 on the developer's list,
you'll see an extension being added to the Realm interface that passes the
current request in to the hasRole() method as well (so that it can make
decisions based on characteristics of the current request). This is being
done in support of implementing JSR-115, which is an SPI between a
container (like Tomcat) and an authorization service that might implement
arbitrarily complex rules for deciding whether a user, for this request,
at this date and time, has a requested role. But, from the web
application's point of view, nothing changes -- isUserInRole() is how you
can dynamically ask the question for a particular role.
If you want to expose a Principal object (via getUserPrincipal()) that can
be cast by a webapp to get more data than just the name, that would be
feasible;
* Create a new class implementing Principal (and putting it in
common/lib or common/classes so that it's visible to both
Tomcat and your app)
* Build your own Realm implementation that creates and returns one of
these Principals from the authenticate() method.
Obviously (I hope), this would tie you directly to Tomcat 4 internals.
There's nothing portable in Servlet 2.3 (or 2.4) for enumerating roles --
in fact, if I remember right, JSR-115 dispensed with the idea of creating
API for enumerating all the roles owned by a user because it was not
going to be possible for many environments.
> Thanks, Per
>
> P.s. I know you spend a huge amount of time helping people on this and other
> lists, so I hesitate to ask again but...
>
> Is the implementation of JAASRealm in 4.1 backwards compatible to 4.0.4?
>
Haven't got a clue. In theory it should be, but I've never tried.
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
