tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeanfrancois Arcand <>
Subject [5] [Proposal] Adding an authorization interface
Date Wed, 27 Nov 2002 21:36:24 GMT

I would like to propose the following re-factorisation of the current 
Realm interface. Righ now, Realm contains 3 methods related to 


I would like to create a new interface called Authorizator(and a default 
AuthorizatorBase) that will take care of those methods. I just think 
those methods should be grouped together, and I think they are not 
directly related to the Realm "concepts" (better separation of 
concepts). It will allows peoples to change the current resource 
authorization mechanism without having to modify the Realm interface.

Precisely, the method will have the following signature:

    public boolean hasResourcePermission(HttpRequest request,
HttpResponse response,
SecurityConstraint constraint,
    public boolean hasRolePermission(HttpRequest request,
                                                        String role);

    public boolean hasUserDataPermission(HttpRequest request,
                                         HttpResponse response,
                                         SecurityConstraint constraint,
                                         Context context)

In the current implementation, those methods  will get invoked by the 
AuthenticatorBase and when the user call isUserInRole().

This factorisation will provide the ability to replace/extend the 
default AuthorizatorBase (that implement the Servlet 
<security-constraint> stuffs...section SRV 12.7) by another mechanism: 
LDAP, NFS, Database, File base, JSR 115, etc. This way peoples will be 
able to grant/denied permissions not only based on the web.xml content, 
but also using other technologies. Althrough it is possible to do that 
with the current Tomcat 5 codebase, I recommend we create this extra 
interface. For J2EE 1.4, I was able to implement JSR 115 without having 
to much problems, but I'm sure having a specialized interface will make 
implementation easier.

The Realm.hasRole will be deprecated in order to achieve that 

What do you think?


-- Jeanfrancois

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message