Tomcat Authentication with Realms

[roberto.riggio]

Hi,

I've successfull configurated tomcat (5.0) to use the realms for
authenticating user.

Basically I have a set of roles and some security constraints for
limiting the access to some pages.

In my system the user must choose one role among all the roles
associated to him in the database.

I would like to know if this can be done by using the tomat
authenitication facility.

e.g. by adding a drop list roles in the authentication form.

At the present moment the user choose the role after the login and the
system mantains a session variable with this role.

Do you have any suggestions???

 

[cbongior]

Well, why not use something like a "Role Proxy"?

So, when you create you principal, you delegate the roles that it has
to a proxy. Of course, you will need it on a per principal instance,
but you will need it to be changeable outside the principle.

So, you could do:

public final class RoleProxy {
private static Map roles = new HashMap();

private static final Role ADMIN_ROLE = new AdminRole();
// repeat for roles desired

public static Role getRole(Principal p) {
Role role = (Role)roles.get(p);
if(role == null)
role = DEFAULT_ROLE;
return role;
}
// specifically limited to package scope. When a new role is
selected, your web-app // sets the role here
static setRole(Principal p, Role r) {
roles.put(p,r);
}
}

public class MyPrincipal implements Principal {
public List getRoles() {
Role r = RoleProxy.getRole(this);
List roles = new LinkedList();
roles.add(r);
return roles;
}
}

I haven't written a realm since 4.1 was new and Hot, but that is
vaguely how I remember it. I hope this gives you some ideas.

Christian

http://christian.bongiorno.org/resume.pdf

 

[Daniel Rohe]

Doesn't provide the realm that feature per default. I thought the Tomcat
documentation states that you have to create two tables for user
authentication and authorization.

Table User with Username and Password where Username is the primary key
and
table User_Role with Username and Rolename where (Username, Rolename) is the
primary key.

When you use your realm and have for example two users Jon and Jane and in
the User_Role table the entries (Jon, Admin), (Jon, User) and (Jane, Guest).
Then you can check for example the Admin role in your servlet with
request.isUserInRole("Admin"). This method returns only true when the
request was made from user Jon. For user Jane the same check will return
false. The check for role User will return also true for user Jon and false
for user Jane.

Kind Regards,
Daniel

Hi,

I've successfull configurated tomcat (5.0) to use the realms for
authenticating user.

Basically I have a set of roles and some security constraints for
limiting the access to some pages.

In my system the user must choose one role among all the roles
associated to him in the database.

Why do you restrict the access to specific web pages under one role from a
user that can access these web pages under another role?

 

[Hamvil]

Because I wanna let the user choose one role (among N) and browse the
system by using only that role. This is basically because the system
manage different "event" and for each event the user can own a
different role:

event_1 -> roleX
event_2 -> roleY

and some content changes according to the role