tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-francois Arcand <jeanfrancois.arc...@sun.com>
Subject [PATCH][jakarta-tomcat-catalina] Refactoring AuthenticatorBase and RealmBase
Date Wed, 07 Aug 2002 01:58:02 GMT
Hi,

attached is a patch that refactor o.a.c.authenticator.AuthenticatorBase 
and o.a.c.realm.RealmBase. In the actual implementation, the logic 
behind resources access authorization is under Authenticator's protected 
method:

    /**
     * Perform access control based on the specified authorization 
constraint.
     * Return <code>true</code> if this constraint is satisfied and 
processing
     * should continue, or <code>false</code> otherwise.
     *
     * @param request Request we are processing
     * @param response Response we are creating
     * @param constraint Security constraint we are enforcing
     *
     * @exception IOException if an input/output error occurs
     */
    protected boolean accessControl(HttpRequest request,
                                    HttpResponse response,
                                    SecurityConstraint constraint)

This method implements the security authorization logic required in the 
Servlet 2.x spec. I recommend this method be moved under the RealmBase 
class. I think authorization logic should fall under the same class as 
Principal/Role authorization logic. This way people will be able to 
customize resources access. I have added the following method to Realm 
and RealmBase (same logic as AuthenticatorBase):

    /**
     * Perform access control based on the specified authorization 
constraint.
     * Return <code>true</code> if this constraint is satisfied and 
processing
     * should continue, or <code>false</code> otherwise.
     *
     * @param request Request we are processing
     * @param response Response we are creating
     * @param constraint Security constraint we are enforcing
     * @param Context to which client of this class is attached.
     *
     * @exception IOException if an input/output error occurs
     */
    public boolean hasResourceAccess(HttpRequest request,
                                     HttpResponse response,
                                     SecurityConstraint constraint,
                                     Context context)

I'm currently in the process of implementing JSR 115 "Java Authorization 
Contract for Containers" and the only way to implement elegantly this 
JSR without changing anything to the actual behaviour/logic is by adding 
a new Realm class, and then delegate the logic to that class.

Note: Actual Realms are not impacted by this patch.

Thanks,

-- Jeanfrancois


Mime
View raw message