tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: authorization providers (was More on JAAS)
Date Thu, 20 Apr 2000 00:25:18 GMT
Arkin wrote:

> It's hard for me to comment on this e-mail, it seems to confuse two
> different topics. One is authentication at the protocol level (HTTP,
> WAP, etc) and one is back end authentication and authorization.
> The first is totally dependent on the protocol. It might work different
> for HTTP than for WAP, it might work different if Tomcat is standalone
> vs. connected to Apache. It might work different for HTTP 1.0 than 1.1.
> The second is totally dependent on the container API defined in the J2EE
> architecture and covers the authentication & authorization of users,
> regardless of protocol. It works the same way whether the protocol is
> HTTP or WAP, RMI or IIOP, client application or server, synchronous or
> asynchronous (JMS).
> In my opinion it's Tomcat's responsibility to support at the least an
> HTTP adapter and delegate that to a security provider, but the security
> provider need not understand HTTP specific issues, or even be exposed to
> such issues.

I think we're in total agreement on this intent.  And I even think that you summarized
(much more concisely) what I was trying to say.

The issue that raised this long-winded thread was design choices in implementing this
conclusion.  Tomcat 3.x combines the two concepts in one class (but lets you subclass to
change realm implementations); Catalina separates the two concepts and lets you combine
your favorite authentication mechansim and an adapter to your favorite security provider by
composition instead.

> arkin


View raw message