Bill Barker wrote:
> Tomcat doesn't adhere to the (new) requirements in the 2.4 Servlet-Spec for
> handling the case of Overlapping Constraints:
> <spec-quote version="2.4 pfd3" section="12.8.1">
> When a url-pattern and http-method pair occurs in multiple security
> constraints, the
> applicable constraints (on the pattern and method) are defined by combining
> the
> individual constraints.
> </spec-quote>
>
> I see two ways to address this, but can't pick a clear favorite (hence
> asking for comments :).
>
> 1) Add a method 'List getSecurityConstraints(HttpRequest req, Context ctx)'
> to Realm, and have AuthenticatorBase loop through them.
> 2) Have RealmBase create it's own special SecurityConstraint that is the
> intersection of all of the overlapping constraints, and leave
> AuthenticatorBase alone.
>
> Case 1 has the advantage of being relatively clean from a coding standpoint.
> Case 2 would probably require adding a 'void intersect(SecurityContraint
> sc)' method to the SecurityConstraint class to enable it to construct the
> correct permissions (and this looks like it would be a non-trivial method to
> implement).
>
> Comments/Opinions/Flames?
1) seems better from your description. It could be a good idea to
confirm that the spec change will still be in the final version.
I'd like to add that a lot of this code is unoptimized (it abuses
substring, whereas it could likely use region matching), so maybe it
could be a good opportunity to improve it (along with BASIC auth handling).
Remy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
|