| Just as a simple example, consider the concept of "group" that many | security environments define. Either of the following mappings would be | perfectly legal from the perspective of a servlet container (or a J2EE app | server): | | * "Group == Role" (since Tomcat 3.x and 4.0 do not have any specific | concept of a group, this is effectively what they implement). | | * "Group == set of roles inherited by all members of the group" (supported | explicitly by Tomcat 4.1). | | The details of how role is mapped to real-world things is up to the | container. |
How is group implemented then in 4.1 if we want to take advantage of this feature? I'm looking at the HttpServletRequest API which involves getting a requested Principal, but only Role is exposed via Strings. Is the presumption that we cast to our own Principal (implements User) and do verification based on the now exposed groups? Granted I would start with my own UserRealm extending RealmBase with a UserDatabase of my own. Best Regards, Jake Hookom --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
