tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Getting HttpRequest inside Realm/Tomcat 4
Date Thu, 25 Oct 2001 23:41:05 GMT

On Thu, 25 Oct 2001, Antony Bowesman wrote:

> Date: Thu, 25 Oct 2001 14:12:36 +0300
> From: Antony Bowesman <>
> Reply-To:
> To:
> Subject: Re: Getting HttpRequest inside Realm/Tomcat 4
> Hi Craig,
> Thanks for your comments again.
> > You're right ... there is nothing there to do this.  The original
> > design was based on the idea that Realm simply encapsulates a
> > service that authenticates a user, given a username and some
> > credentials.  In addition, it needs to work even when HTTP sessions
> > are not in use (for example, for BASIC authentication).
> >
> > One strategy for dealing with this might be to register a session
> > event listener and registers your session in the sessionCreated()
> > event handler.
> I like the realm and general design in TC4, it's much better and cleaner
> than 3.2.  However, I think there is something missing in the realm
> interface authenticate methods, particulary for form login:-
> If you modify a login form to include a field other than j_username and
> j_password so the user can select some kind of 'post login preferences'
> it is not possible to get this extra field to the realm.

The mechanics of form-based login was the subject of no little amount of
discussion in the JSR-053 expert group during the development of Servlet
2.3.  The idea of supporting additional fields was discussed somewhat, but
in the end we decided to punt on making any big-time changes, because it
became obvious that this problem has a larger scope than just logging
users in to a web application.

One of the outgrowths of that realization is another JSR that you might
want to keep track of (via <>:

  JSR #115 -- Java(tm) Authorization Service Provider
              Contract for Containers

Once this is fleshed out, Tomcat can be modified to support the new
SPI contracts, and your Realm-equivalent implementation will itself be
portable to different containers if it conforms.  Until then, though, I'm
a little gunshy about mucking around with the Realm interface.

> We use JAAS for authentication.  JAAS allows  and one of the login
> modules authenticates against our EJB user repository and loads user
> preferences (groups/roles etc) and one feature the user can select is
> their preferred role set for the session.
> I don't think the event listener will work for our use, following login,
> so it seems the following is how I can achieve what I want.
> Replace the org.apache.catalina.authenticator.FormAuthenticator with my
> own FormAuthenticator class by modifying the
> and extend the realm interface to pass either a map of http request
> parameters, or in fact the http request itself.  My realm can do what it
> wants.

That seems like a reasonable strategy.

> What about passing the Request object as a parameter to the Realm
> interface authenticate() methods for 4.1 release.
> And how about having only a JAAS realm in standard tomcat and just
> provide different login modules for jdbc/jndi/other access.
> JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for
> Tomcat 4?

The current supported minimum is JDK 1.2.2.  And, I thought JAAS required
1.4 -- am I mis-remembering?

> BTW, I saw you offered your BOF slides to someone, are they available?

I assume you mean my BOF on container-managed security, right?  Forwarded
under separate cover.

> Rgds
> Antony


View raw message