tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shachor Gal <shac...@techunix.technion.ac.il>
Subject Re: authorization providers (was More on JAAS)
Date Tue, 18 Apr 2000 18:19:04 GMT

I think that this argument get a little out of proportion here...

You are comparing two completely different things:
1. A working servlet container (Tomcat)
2. A design that (relative to the above) is mostly on the blackboard.

And, you make the comparison based on a portion of Tomcat that is known
to be unfinished...

The way I see it, the Realm object as well as the Host, Logger and other
Catalina objects are not the big deal here. We can have the same objects
alive and kicking in Tomcat in a shorter time (nothing in Tomcat block us
from having a Realm class for example ...) This is mainly an
implementation
step. Think for a moment, had Craig developed the Tomcat security
subsystem he could add this Realm object without a problem... No one would
-1 it because it is a (relatively) minor change.

The main issue, and this is what we do not really talk about, is the nuts
and bolts of the difference:
- Tomcat is based on request manipulation through interceptors that
  eventually selects the wanted context and execute it.
  It is very simple.
  It is very flexible.
  It looks messy.

- In Catalina the request will traverse through Containers until they will
  arrive to the correct container and in this container to the correct
  context.
  It is relatively complex,
  It is very flexible.
  It looks clean (can not rally judge without a real implementation).

This is the real difference, not the Realm/plugable XXX/Extensible YYY...
By
adding to the current Tomcat code we can accomplish all the goals listed
by Craig (in the Catalina document) and it will be faster!!!

>
> >
> > What is missing in the current model? It seems all web servers ( IIS,
Nes,
> Apache
> > at least) are doing fine with the filter/SAF/module model.
> >
>
> One particular thing that's missing is a way to implement isUserInRole()
> without
> adding another callback.
>
> On a larger scale, and as we will discuss more, I'm sure, Tomcat is not
a web
> server
> -- that problem has been solved quite nicely, thank you.  Instead, it is
a
> container
> for web based applications, which do not necessarily have the same
requirements
> for
> functionality (or even the same sweet spots for performance
optimizations).
> Doing things in Tomcat "just because web servers do them that way" is
not a
> sufficient argument, without understanding the costs imposed by that
design.
......

iPlanet and IIS are (for mow at least) more of a web application server
then
tomcat, and they manage to get the work done using (mainly) filters and
iteration. But this is not the issue, the issue is:
Do we need in Tomcat/Catalina .... an architecture that is based on
wrappers ? Is there a single goal that we can not achieve with an improved
filter (interceptors) based architecture that we have today?

    Gal Shachor




Mime
View raw message