tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <cmanola...@yahoo.com>
Subject Re: [5] [Proposal] Adding an authorization interface
Date Thu, 28 Nov 2002 00:31:12 GMT 
IMO  - I would rather see us using JAAS directly as API
instead of defining our own. 

I already mentioned that I would preffer using JNDI for
abstracting the informations about user/group. In general, the
fewer interfaces we define, the better it is.

Costin

Jeanfrancois Arcand wrote:

> Hi,
> 
> I would like to propose the following re-factorisation of the current
> Realm interface. Righ now, Realm contains 3 methods related to
> authorization:
> 
> hasRole
> hasUserDataPermission
> hasResourcePermission
> 
> I would like to create a new interface called Authorizator(and a default
> AuthorizatorBase) that will take care of those methods. I just think
> those methods should be grouped together, and I think they are not
> directly related to the Realm "concepts" (better separation of
> concepts). It will allows peoples to change the current resource
> authorization mechanism without having to modify the Realm interface.
> 
> Precisely, the method will have the following signature:
> 
>     public boolean hasResourcePermission(HttpRequest request,
>                                                                 
> HttpResponse response,
>                                                                 
> SecurityConstraint constraint,
>                                                                 Context
> context)
>    
>     public boolean hasRolePermission(HttpRequest request,
>                                                         HttpResponse
> response,
>                                                         String role);
> 
>     public boolean hasUserDataPermission(HttpRequest request,
>                                          HttpResponse response,
>                                          SecurityConstraint constraint,
>                                          Context context)
> 
> In the current implementation, those methods  will get invoked by the
> AuthenticatorBase and when the user call isUserInRole().
> 
> This factorisation will provide the ability to replace/extend the
> default AuthorizatorBase (that implement the Servlet
> <security-constraint> stuffs...section SRV 12.7) by another mechanism:
> LDAP, NFS, Database, File base, JSR 115, etc. This way peoples will be
> able to grant/denied permissions not only based on the web.xml content,
> but also using other technologies. Althrough it is possible to do that
> with the current Tomcat 5 codebase, I recommend we create this extra
> interface. For J2EE 1.4, I was able to implement JSR 115 without having
> to much problems, but I'm sure having a specialized interface will make
> implementation easier.
> 
> The Realm.hasRole will be deprecated in order to achieve that
> re-factorisation.
> 
> What do you think?
> 
> Thanks,
> 
> -- Jeanfrancois




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
Mime
View raw message