tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <cmanola...@yahoo.com>
Subject Re: [5] [Proposal] Adding an authorization interface
Date Wed, 04 Dec 2002 18:30:54 GMT
Glenn Nielsen wrote:

> There are a number of different types of realm implementations in
> org.apache.catalina.realm. These are all solely used for web application
> realm based authentication except for those which implement the
> UserDatabase which understands users, groups, and roles and has methods
> for managing these.  Also a UserDatabase can be instantiated as a JNDI
> resource.
> 
> It would be nice if all realm implementations could support not only
> authentication
> and authorization but also management of users, groups, and roles.  And be
> instantiated as a JNDI resource so it can be provided by the container as
> a resource to a virtual host.

Requiring all realm implementations to support user management is 
not a good idea. Some realms can do that ( database, our own file, ldap)
and some just can't ( passwd, kerberos/radius/tacacs, etc ).

I think we have 3 distinct issues:
- authorization: I think tomcat needs to expose a single hook and provide
a default implementation ( using the mapper - it can also implement jsr115,
but it needs to be efficient )

- authentication: again one hook that could be implemented by delegating
to apache or use JAAS ( that should be the default - and all current
Realms migrated to JAAS plugins ! )

- user management. That should be optional - and probably the best 
abstraction is JNDI. Besides user/pass/certificate it can store all other
user attributes. I think we should be consistent on naming the attributes 
as in the inetUser LDAP schema ( it will work out-of-box with existing
ldap servers and easy to translate to databases, etc ). All UserDatabase
impl should be migrated to JNDI providers, and UserDatabase deprecated (
or implemented on top of jndi ).

Costin



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message