I'm running a task on the users behalf on a background thread with a task scheduler. I need to get the roles when the task is ran in case of a change in role membership between the time the task is scheduled and when it is executed.
What class reads server. Xml and creates the realms? Perhaps there's a way to get a reference to the realm via some static reference? On Jul 15, 2017 4:53 AM, "André Warnier (tomcat)" <a...@ice-sa.com> wrote: > On 15.07.2017 00:46, Alex O'Ree wrote: > >> Hi Tomcat folks! >> >> I have a use case where i have reoccuring background process (quartz >> job) that needs to perform access control checks against a user >> prinicple. Normally, user role membership is only accessible via one >> of the http session, servlet request, objects, etc. >> >> Question, is there a way to essentially perform the same task as >> "isUserInRole" without the context object? >> >> I don't necessarily know what the realm will be ahead of time, but it >> will probably either be the jndi/ldap setup (with bind credentials) or >> the default tomcat-users xml file realm. >> >> My initial thoughts to solve this problem was to read server.xml >> looking for realms nodes, then create instances of them using the same >> configuration from server.xml then attempt to do some hackery to get >> the roles of the user without performing an authentication challenge. >> I'm not sure how feasible this is and it seems like a bit of work >> (probably an easier solution) >> >> I've also tried poking around to find a mbean that looks promising. I >> eventually found that the realms are registered mbeans but i didn't >> see any obvious solutions. >> >> > Hi. > I don't know if what you want to do as described above, is even possible > while remaining within the general HTTP protocol specification and/or the > Java Servlet Specification. > But in any case, I believe that you should have a look at > http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html# > Single_Sign_On_Valve > to give you an idea of what is involved, and what the constraints are. > (Keep in mind that a Valve is a Tomcat-specific thing, not directly > portable to another Servlet Engine. But it does come into play *before* a > request has been dispatched to a particular application, which is what you > seem to want here.) > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
