tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <>
Subject Re: authorization providers (was More on JAAS)
Date Wed, 19 Apr 2000 23:40:46 GMT
> To be more generic, a container is a container is a container. It could
> be a Servlet container, or it could be a Mailet or Phonelet or EJB or
> any other form of container. Tomcat is one such container.
> The container authenticates the user against a login module. (Whether
> you use JAAS or a different API, the semantics are generally the same)
> The container authenticates using some security provider API. JAAS is
> one such API. Apache modules is another API.
> Some forms of authentication are active (i.e. container goes to module
> and say please authenticate 'Joe'/'secret') others are passive (i.e.
> container gets prior authentication).

That's exactly what I think too. And while JAAS is not an option yet - we
should stay close to the idea and concepts inside - unless we have strong
reasons to think we can abstract the authentication in a better way. That's
why I think tomcat should only bridge between the HTTP request and a
real authentication API.


View raw message