tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shachor Gal <>
Subject Re: authorization providers (was More on JAAS)
Date Wed, 19 Apr 2000 10:50:23 GMT

> I'm all for discussion. After all this is rather groundbreaking stuff.
> While 'tis true that all of the popular Web servers use a filter model
> similar to our interceptor model, they also all use C to write their
> servers. (IIS may use C++, but if it follows MS tradition that is just
> C++ wrappers around straight C code like the Windows API).

I am not saying "... Web server X does that, so we must blindly do it 
to ...", my point is that most web servers selected the interceptor model 
and it was not the programming language that forced them to select it (You 
can wrap objects within other object in almost any language). We should 
not just forget this.

Note, I am not saying that we should go with "strict" interceptor model,
only that I need to have a good reason to abandon it in favor of wrappers.

Also, I do not have anything against defining an object that the
authenticate step set inside the Request for the authorize step. I also 
would like us to define the notion of plugable security providers... I do
think however that this has anything to do with interceptors VS wrappers.

> We are talking about Java here and we should be looking for a
> proper Java solution. Perhaps this still leaves us with an interceptor
> based solution. But maybe it doesn't. I mean we haven't even
> talked about using things like reflection and dynamic loading.
> We're doing it for servlets, why not Tomcat itself?
Right on.
As for building Tomcat on the fly, we are not that far away...


    Gal Shachor

View raw message