tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <>
Subject Re: [5] [Proposal] Adding an authorization interface
Date Thu, 28 Nov 2002 17:03:33 GMT
Remy Maucherat wrote:

> I'll only be talking about HTTP authentication and the interaction with
> the realms for now.
> The main problem is that some authentication schemes need the realm to
> function (digest, for example). So I don't see how we can put that layer
> of processing in Coyote, since we need access to the realm to perform
> it. However, the code in the current authenticators will enventually be
> rewritten Coyote-style (and using tomcat-util objects) so that it
> actually performs well.

That's orthogonal and not the subject of this discussion ( the proposal
is about authorization, not authentication ).

Also the issue of using coyote hooks ( Action ) or a custom interface is 
orthogonal on what information is needed, in both cases the implementation
of the authentication hook ( or interface ) will have access to the same
information ( Request, user info, etc ).

> I think a refactoring of the realms is needed in order to support any
> auth scheme (most realms don't work with digest). To be able to do


I would add to the wish list better support for web server integration.
It would be nice ( at least for jni mode ) to be able to have the 
native server call the hook to auth static resources - but the real
important thing is allow the native server do it ( and the countless auth 
modules ).

> We should probably standardize on storing the limited digest defined in
> the RFC in the realms instead of the clear password or some kind of
> unusable digest of the password.

I like the move to split the storage of the info about user from Realm,
as well as the split of authorization/authentication. I don't like 
the current abstraction for user info ( and the fact that all users 
need to be in memory ), and I would preffer use of a consistent hook
mechanism ( coyote Action ) instead of special interfaces.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message