Shibboleth SP with Tomcat. How to use <security-constraints>
putmanb at georgetown.edu
Tue Nov 1 19:46:58 GMT 2011
On 11/1/11 7:10 AM, Luis Rodríguez Fernández wrote:
Do you know for a fact that your container implements the Servlet spec
declarative security model in such a manner that inserting a JAAS
subject into the session as a session attribute as you do above results
in those principals being evaluated as roles in the declarative security
model? I personally wasn't aware that that was how it was typically
done.... I was instead under the impression that you would need to
create an HttpServetRequestWrapper and populate it with data such that
it returns the right results for
HttpServletRequest#isUserInRole(String). You then forward the wrapper
instead of the original request in the filterChain.doFilter.
Maybe your way works also, I've just never seen that done.
More information about the users