tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: authorization providers (was More on JAAS)
Date Wed, 19 Apr 2000 05:01:40 GMT
On 18 Apr 00, at 21:14, Costin Manolache wrote:

> Mark,
> > I'm all for discussion. After all this is rather groundbreaking stuff.
> > While 'tis true that all of the popular Web servers use a filter model
> > similar to our interceptor model, they also all use C to write their
> > servers. (IIS may use C++, but if it follows MS tradition that is just
> > C++ wrappers around straight C code like the Windows API).
> You can modules in Perl too. And soon - I hope - you'll be able to
> write modules in Java !
I know about Perl (that's the day job ;) and Apache. There's also a 
simplistic Perl api for Netscape and I think you can do something 
in IIS, but the point is that even with Perl, the underlying 
architecture is still primarily derived because the server itself is in C.
> > And while it is also true that most of our initial deployments will
> > ship with a standard Web server (most likely Apache) that may not
> > always be the case.
> Sure - but whatever design  should still be able to
> address Apache integration and be useable in production sites -
> real web servers with real high load.
> Do you think the Realm interface with the 2 methods is the
> right solution for authentication ?
At the moment yes. I think most of the time people are going to do 
something that takes a userid and password & then compare that 
to some database, whether that's LDAP, JAAS, password file, a 
database, etc.

I think we can handle extensions (e.g. X509, kerberos) by passing 
in a byte array that is the credentials.

This still requires a callback somewhere to populate the roles. (or 
does it? I thought perhaps SecurityCheck could call isUserInRole 
and if true add the role to the request, if not, remove or don't add 
the role)
> What model for request processing do you prefer ?
> My personal preference is to use Event and EventListeners -
> they have a simpler design and resolve the same problem.
> Maybe one day I'll just implement that as a revolution,
> with a lot more care for GC.
> But I'm not sure it is "better" - and I'll not be sure until
> I have a prototype and I can compare it and see how it works
> in real world.

Actually that's what I've been thinking as well. That perhaps we 
have an AuthenticateEvent and AuthorizationEvent. I'm still thinking 
on what would make this up (e.g. what gets passed to what).

Though I think you need the events to be a two-way street. 

> Web servers have a long history and a lot of smart developers,
> and this model seems to work - and it was more than used in
> all those years. I need more than words to use something
> out of whiteboards.
I agree completely. That's why I think perhaps for 3.x we should 
just get something to work. We're already pretty close in terms 
that we can replace the SecurityInterceptor with something and 
authenticate & even authorize a user with a userid & password.

If we can figure the quickest way to get roles popluated, then I 
think we'll be rather set. I'd be happy to add in the callbacks if 
someone can at least tell me where I need to put in the hooks. 

Then for 4 we can get something better in place. This is sort of like 
Apache. 1.3.x was make it work. 2.0 is how to make it work now 
knowing what we know.

All of this stuff is just so new, I don't think we know enough really 
to say yea or ney on much of anything (in particular since we've 
only dealt with the theoretical so far ;). 

I'd also be happy to tackle the event issue, though that's going to 
be a while (most likely) since that's not an area I'm real familiar 
with and I'm committed to several projects in May (though after 
May, I'm pretty free).

> > So while I agree Tomcat will/shouldn't replace the everyday
> > workhorse Web servers, there are areas where it likely will fill in
> > where we cannot see (if you can, make sure you have access to
> > some VC because you'll likely cash in big).
> If we expect people to use servlets/jsp instead or in addition to
> mod_perl/php/asp we should be able to run in similar conditions
> with similar speed. If the response time is more than 2 seconds -
> nobody cares that your software can also run from a toaster. If you can't
> use the same authentication as the rest of your applications -
> nobody cares that you have plugeable  APIs or original architecture.
Yes, I just had to wait several seconds for my JSP to compile and 
connect to my local LDAP server on my NT box at home. After the 
initial compilation it was quick, but until then... 

Though I wonder if perhaps this is an issue that can be taken care 
of smarter caching or configuration. For example if I don't change 
my JSPs between startups, why should the servlet engine 
recompile it? Couldn't we just make a hash of the JSP and store it 
first and then check to see if it's changed between startups before 
we recompile. And if it hasn't can't we just reload the servlet we've 
recompiled (if we're already doing this, please accept my humble 
> If we discuss about how the request is processed - including authentication -
> I'm interested to hear how much processing is part of the critical path,
> how and what alghoritms and data structures can we use to implement
> the parsing and searching, and how can we reuse existing code.
I agree. I think that we're concentrating so much on particular 
issues we're missing the bigger picture (e.g. missing the forest for 
the trees).


> If we discuss about authentication - I'm interested how can we address
> existing systems ( like apache + any auth module). In a controled
> environment everything works fine and looks flexible.
I think we handle communication with the Web server via the 

Which also brings up the question, do we continue to use our 
current protocol or a different one. For example does it need to be 
TCP based or could it be UDP? Or do we investigate something 
like CORBA or even Mozilla's XPCOM (not Mozilla itself just the 
XPCOM protocol).

BTW Is it ok to post code samples here as zips or should I put 
them on the net somewhere for someone to pick up and place in 

> Costin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message