this is weird, check this out:
//code (tomcat 5.5.23)
java.security.Principal p = request.getUserPrincipal();
System.out.println(p.getClass().getName().equals(MemoryUser.class.getName()));
// prints "true"
System.out.println(p.getClass().equals(MemoryUser.class)); //prints "false"
So what this is saying is that the *names* of the classes are the same,
but the actual classes are different. this is crazy...
Good news is that p.toString() prints out that users details in the form
<user username="user1" password="pass" roles="public"/>, so I can hack
the role names out of that. but that's a very dirty hack and I'm amazed
that this is so hard...
Does anyone have any input on why this might be so, and/or a better
solution to convert the request principal to something I can get
rolenames out of?
thanks!
Matthew Kerle wrote:
//code
Object o = ic.lookup("java:comp/env/users");
System.out.println(o.getClass().getName()); // prints :
"org.apache.catalina.users.MemoryUserDatabase"
doing instanceof tests on the returned object for MemoryUserDatabase &
UserDatabase all fail, even though in debug that's clearly what it
identifies as.
could this be a security manager thing? I notice that in the tomcat
manager deployment descriptor it has privileged="true" in the Context
tag. Are only privileged applications allowed access to the
UserDatabase? (this would make sense as you could enumerate all users
& passwords...)
--
Matthew Kerle
IT Consultant
Canberra, Australia
Mobile: +61404 096 863
Email : [EMAIL PROTECTED]
Web : http://threebrightlights.blogspot.com/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
