Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Sender: costin@costin.dnt.ro
Message-ID: <38FE274B.1060175B@costin.dnt.ro>
Date: Wed, 19 Apr 2000 14:38:19 -0700
From: Costin Manolache <costin@costin.dnt.ro>
MIME-Version: 1.0
To: tomcat-dev@jakarta.apache.org
Subject: Re: authorization providers (was More on JAAS)
References: <mS/12hjqp-0009LfS@mail.airmail.net>
 <38FE1DDD.F0C6A814@exoffice.com> <38FE23E3.A0A80A43@costin.dnt.ro>
 <38FE255C.6E24363@exoffice.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

> > > 1. We define a set of interfaces for a J2EE principal and roles
> > > credentials and a way to authenticate given no user, user/password,
> > > user/certificate, cookie. The container only uses these interfaces.
> >
> > The container will use these interfaces in most cases - "only" is too
> > strong :-)
>
> "Only" as in, if the container makes a request to a login module for the
> purpose of J2EE authentication & authorization it will use just these
> interfaces and no other extensions. If the container talks to someone
> else for any other purpose (say just authentication) it can use any
> other interface that makes sense, however, that is a container issue and
> a generic authentication module is not aware of that.

> > ( and tomcat will use the apache modules if it runs in "integrated"
> > mode - the java interfaces will not be called in this case )
>
> +1 In which case the container needs some other way to authenticate.

I'm a bit confused - who is the container?  I thought tomcat is the servlet
container.


Costin