Hi folks,
I seek guidance on a larger problem I need to solve where I do have a few ideas,
but am also considering to what degree it would make sense to add code to the
Tomcat codebase for the common good:
I have a realm impl called MyRealm which sources from "store A", is has roles
(groups) in a specific format and user attributes. It returns MyPrincipal.
Consider you have a webapp which has logical roles "user", "editor", "admin",
etc. and also uses those specific attributes. The webapp context maps the
roles from "store A" into the logical roles with the
PropertiesRoleMappingListener.
Now an additional MyRealm with "store B" comes into play. Of course, the
CombinedRealm works perfectly, but "store B" has different role names and
different attribute names.
The problem: Both "String Context#findRoleMapping(String)" and
"#addRoleMapping(String, String)" do not support 1:n mapping, e.g.,
"user" role maps to "store_a_role_1" and "store_b_role_5".
This would require changing/extending the interface and other classes.
The other problem is, of course, realm-specific. Say "store A" has attribute
"gid" which is semantically identically identical "store B" attribute
"employeeID". From an application PoV this is a consolidation nightmare
to touch every single spot to accommodate that.
My idea is going from:
<CombinedRealm>
<MyRealm source="store A" />
<MyRealm source="store B" />
</CombinedRealm>
to
<TransformingRealm roleMapper=... attributeMapper=...>
<CombinedRealm>
<MyRealm source="store A" />
<MyRealm source="store B" />
</CombinedRealm>
</TransformingRealm>
While the attributeMapper cannot be part of Tomcat because it is realm-specific,
do you see a benefit of modifying Context to accommodating 1:n mappings and of
course the aftermath?
Let me know your opinion whether this is of good use for the Tomcat code base.
For the same of completeness, I cannot add "user1", etc. to the application
because it will require some hefty code changes as well.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
