tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jam...@cardsetc.com
Subject [Catalina] Volunteer to build the JNDI realm
Date Thu, 01 Jun 2000 07:38:56 GMT
Hey folks,

I'd like to volunteer to build the JNDI realm on the Catalina plan.

1. I've implemented something similar for the project that I am presently
working on (which is using Tomcat as its servlet engine) and would like to
use that experience to develop this realm.
2. The work done by the Tomcat team is excellent, and I'd like to
contribute something in aid of the project.
3. This will be my first contribution to an Open-Source project, and will
be done on my own time, so I'm picking a smallish piece of work!

To kick off a discussion of the design, for those that are interested, here
are the implementation options as I see them, I'm open to alternatives!

1. The JNDI realm will connect to the directory when it is started, using
the 'manager' account.  As each request for authentication comes in, it
will search for the user name in the directory to confirm that the user
exists.  It will then attempt to connect to the directory AGAIN, using the
credentials supplied along with the user name.  It is my experience that
directory servers generally don't like to return the user password's to
their clients, hence the need to connect again. (my experience was with
Netscape Directory Server).

2. As option #1, only the 2nd connection for authentication will not be
required as the user's 'web-site password' (as opposed to the user's
'directory password') will be stored in some plaintext attribute in the
user's directory entry.

3.  The JNDI realm will only connect to the directory when authenticating a
user, and it will connect using the credentials presented by the user.

4.  If the connection has been encrypted with SSL and a client certificate
has been presented, then we could compare the certificate being presented
with the certificate stored in the directory as part of the user's
directory entry.

Of these, I think #1 and #3 are the real alternatives.

Anyway, let me know what you think.

Regards,
James W.

--------------------------------------------------------------------------
Visit us at Cards Australia 2000 on Stand 31A.  Cards Australia will be
held at the Melbourne Convention Centre from July 4-6 2000.
--------------------------------------------------------------------------
This e-mail is from Cards Etc Pty Ltd (ACN: 069 533 302). It may contain
privileged and confidential information. It is intended for the named
recipient(s) only. If you are not an intended recipient, please notify us
immediately by reply e-mail or by phone on +61 2 9212 7773 & delete this
e-mail from your system.
--------------------------------------------------------------------------



Mime
View raw message