Ambarish Mitra wrote: >>> The custom valve talks with an external authentication system and gets > the >>> username. The external system does not store the roles. >>> >>> The authenticated username is then read in the Valve - it is one of the >>> usernames in the tomcat Realm. Now, from here in the Valve, how do I get >> the >>> roles of the user in the tomcat realm? >> Which Realm are you trying to use? >> >> I am using a custom realm. I am not using any of the standard realms > because >> the authentication is not handled by the standard realms. >> >> > > The reason I ask is that I wanted to know where you're storing the > user/role information. I will assume that you are using a database. > > > Actually no. In fact, I do not care. The Valve talks with an external > authentication engine and gets the username. The back-end of the external > engine is hidden from the tomcat. The Valve does a http redirection to the > external form where users enter their login/password, and the same form > authenticates against its own store, and redirects back to the tomcat valve. > The valve then understands that it is authenticated (looking at http > request) and so gets the userid. > > The external system does not store the tomcat realm roles. > > > > In your Valve, you could just replicate the internal processes* of the > Realm to determine the roles and assign them to the Principal. > > * define & use SQL statements to look up the roles for the supplied > username. > > > So, what I can do is: in the valve, I will call the user respository of > tomcat to see what all roles it has, and then set the principal.
That's what I'm suggesting. > The same can be done by the custom realm. Not the way you are currently doing things. You are far better off just doing it all in one place, the Valve. It'll be easier to administer, monitor and debug when it breaks. Alternatively, you could implement the whole thing as JAAS module, which would allow you to link all of the parts you want. Even more alternatively, you could implement your Valve as an Authenticator. Have a look at the Tomcat source for Authenticator and AuthenticatorBase, this may allow you to hook up your Realm. p > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is the > property of Persistent Systems Ltd. It is intended only for the use of the > individual or entity to which it is addressed. If you are not the intended > recipient, you are not authorized to read, retain, copy, print, distribute or > use this message. If you have received this communication in error, please > notify the sender and delete all copies of this message. Persistent Systems > Ltd. does not accept any liability for virus infected mails. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
