I've got an (internal) site happily running with a custom Realm that sets the Principal to one that doesn't extend GenericPrincipal.
The only place that I can see Tomcat depends on GenericPrincipal is RealmBase.getRoles, and you would have to override that one anyway if you wanted to have your own Principal. "Tomcat User" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Is there a reason why org.apache.catalina.realm.GenericPrincipal is always used to mask the true principal behind the authenticaion process within each realm? Why does Tomcat limit the ability to provide a more complex Principal when HttpServletRequest.getUserPrincipal() is called? If anyone knows of any security risks by providing this more complex type (other than what the designer of the type introduces by faulty programming), I would like to hear them as well.... Randy Secrist --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
