Tomcat: Implementing java.security.Principal

Question

I am trying to create a custom realm in Tomcat. My problem is that there is a SessionAttributeListener as part of the framework which checks to see if any object added to the session is serializable, and if it isn't it causes problems... like invalidating the session.

Because org.apache.catalina.realm.GenericPrincipal is not serializable, I tried to write my own class that implements Principal and Serializable. This seems to be fine except if then try to use

request.isUserInRole("user")

I get false for that, and any other role which the user should have. If I swap out GenericPrincipal for CustomPrincipal in my Valve class it returns true. So my question is:

1. What is causing the false return?
2. How do I use my own class instead of GenericPrincipal?
3. Can I even do this?

Edit: Just to be clear, I actually already implemented this, The code in CustomPrincipal is exactly the same as GenericPrincipal, except it also implements Serializable. request.isUserInRole("user") returns false when in my Valve I have:

request.setUserPrincipal(new CustomPrincipal(args...));

but not when I do

request.setUserPrincipal(new GenericPrincipal(args...));

Any call to request.getUserPrincipal() will return CustomPrincipal when I am using that class.

Answer 1

You need to give us more context. But notice that Principal is intended to be abstract anyway; KerberosPrincipal, for example, implements both Principal and Serializable, so there is some way to do it.

What isUserInRole does is wraps a request to the implementing class to see if the user -- identified by the Pricipal -- is really in that role. So I think the first thing might be to call getUserPrincipal and see what the servlet thinks the current Principal is.