tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: authorization providers (was More on JAAS)
Date Wed, 19 Apr 2000 21:42:11 GMT
Arkin wrote:

> Costin Manolache wrote:
> >
> > One question I have - is it possible to get the list of roles at
> > authentication time?  If that is true, there will be no need for
> > a callback. The callback may be needed only if the number
> > of roles is too big or the auth repository only allow "checkUserInRole",
> > not "getUserRoles" ( nothing is too paranoid in authentication systems).
>
> I would rather than the container not deal with either of that, but
> leave it to the authentication module to determine. Some modules will
> pick up the role list immediately, some will figure them out when
> isUserInRole() is called. Therefore, the container should call
> isUserInRole() on some interface, but never call getUserRoles().
>
> > I mostly agree with that - with the only exception that the set of
> > interfaces
> > should be independent of tomcat core or internals.
>
> +1 The interface should be security specific not container specific.
>

In the case of Catalina's "Realm" interface, the only Tomcat dependency is on
the Container interface.  The rationale is this:  "Realm is an interface that a
security domain must implement to allow Tomcat to authenticate users and
validate roles."  Given that this is the whole point of Realm, it does not seem
like a problem to me -- plus, it allows the security domain to access other
resources of the container if needed.

Beyond that, it's not clear whether we can get away with just the current
authenticate() methods, or whether we might also (or instead) need:

    public boolean authenticate(Request request);

because we want to allow a realm implementation to access any request
properties it needs to.  This introduces one more dependency on the Tomcat
internals, but it's still a Tomcat internal API -- that's OK with me.

Note:  a Realm implementation that itself uses JAAS (on a 1.3 platform)
certainly makes a lot of sense.  But it is not sufficient for many other cases
-- for example, a J2EE server with Tomcat embedded in it will have it's own
notion of users and roles for use by the EJB side, and you want the servlet
side to attach itself to that existing implementation.

Craig



Mime
View raw message