I understand this isn't your standard question, but I need to join our existing (custom) measures with the
Tomcat security management so that we can get Tomcat to remember a Principal created by us so that it can be passed (via SSO) to another content in the same container.
ie user logs in to our application, we tell Tomcat about the user, user visits the other context and that context knows who the user is.
1. Setting the Principal on the Request The org.apache.catalina.connector.Request Class has a method to set the userPrincipal, but that is the method that should be used by the container to pass it to us, if we set the Principal there it would have no effect beyond that request. Anyhow, the Request is wrapped by the org.apache.catalina.connector.RequestFacade and is not accessible without doing nasty things.
2. Creating a custom Realm This is where I am at the moment, but Realms are used to provide the user details to the Container after the user is challenged via an authentication setting. eg security detects a role requirement, authentication challenges user, credentials tested by Realm
The actual place you want to tap into the code is the AuthenticatorBase.register(...) method but buggered if I can see a way there.
To rehash: we have not defined container managed security settings since the securing of pages, the login forms and login process are all managed already and are not compatible with other implementations.
Maybe I'm over complicating this. If the aim is to provide SSO across two contexts then I can do this without Tomcat's help. Even though they supply an SSO valve, it too required the registration above and we go around the circle again.
Self implemented SSO it is, then.
