tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Assaf Arkin <>
Subject Re: more stuff on JAAS
Date Mon, 17 Apr 2000 23:24:03 GMT
Costin Manolache wrote:
> Few comments on this thread:
> - I think it would be great to support any data source - even
> if that means non-jdk 1.1 code. As long as tomcat can run on JDK1.1
> I don't see any problem. ( that means JAAS or even LDAP can't be
> part of the "standard" set of modules )

That's actually an argument for the current security provider interface,
since it can abstract a simple LDAP login module for 1.1 and a more
complex JAAS mechanism for 1.2 and beyond.

> - JAAS is probably the best bet for future.  I don't like the fact that
> it's JDK1.3 dependent, and few other things - but it's better to use
> something that has a chance to become standard. Creating our own
> API doesn't help. That's why I don't like RequestSecurityProvider
> in core  -  we should use the Intereptor as a bridge to another
> API/toolkit, not to create artificial APIs.


However, you do need a way to let the server authenticate the use
directly, for HTTP-based authentication.

> - I don't think LDAP is well-designed for password verification, but

Why? (Except for speed)

> of course I will be happy to see auth  modules using LDAP. There is
> no exclusive decision about what tool/auth mechanism to use - if a
> better solution is found we'll just have another module.

Or support them all at once. JAAS allow you to authenticate against
either LDAP, NT Domain, password files, etc. I believe that Kerberos
support is being defined as we speak.

> ( I think Radius and Tacacs are good tools to do distributed passwd
> auth. Probably Kerberos too. The question is - can we support all that
> or should we just use a standard API and create modules for it ?)

JAAS if full of holes due to insufficient specification in 1.0, so don't
expect the following to work today. But as the specification catches up,
it can do something like:

* User dials into network over Radius using a secure card -- JAAS Radius
module kicks in to authenticate user

* User is authorized (as opposed to authenticated) against LDAP server

* HTTP request is made to server, user is already authenticated, Servlet
container just uses same security context

* Servlet invokes a remote EJB beans over IIOP, Kerberos carries the
security context (with the proper JAAS plug-ins)


> Costin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message