tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Armstrong <>
Subject Re: realms and authentication
Date Wed, 06 Jun 2001 08:44:23 GMT wrote:
> Just FYI, I don't think this is a good idea for general
> tomcat authentication.
> One reason is that "credentials" are not allways a simple string - you can
> have complex authentication schemes where you require certain schemes
> based on the IP address, etc.

JAAS has been designed to address this problem -- it isn't limited to
plain text username/password credentials.

> GetUserRoles might not work for paranoid realms - if I remember corectly
> some allow you to check if a user has a certain role, but not to find all
> the roles that a user has. For example Apache ( if you treat the native
> apache auth modules as a realm - quite usefull for integration with
> apache).

Not quite sure how this could map to JAAS. getPrincipals() returns all
the Principals for a Subject. Actually I suppose it could legitimately
return a subset of Principals based on inspection rights that have been
granted to the caller.

Andy Armstrong, Tagish

View raw message