tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: [5] Authentication for Overlapping Constraints
Date Thu, 24 Jul 2003 08:04:05 GMT
Bill Barker wrote:
> Tomcat doesn't adhere to the (new) requirements in the 2.4 Servlet-Spec for
> handling the case of Overlapping Constraints:
> <spec-quote version="2.4 pfd3" section="12.8.1">
> When a url-pattern and http-method pair occurs in multiple security
> constraints, the
> applicable constraints (on the pattern and method) are defined by combining
> the
> individual constraints.
> </spec-quote>
> I see two ways to address this, but can't pick a clear favorite (hence
> asking for comments :).
> 1)  Add a method 'List getSecurityConstraints(HttpRequest req, Context ctx)'
> to Realm, and have AuthenticatorBase loop through them.
> 2) Have RealmBase create it's own special SecurityConstraint that is the
> intersection of all of the overlapping constraints, and leave
> AuthenticatorBase alone.
> Case 1 has the advantage of being relatively clean from a coding standpoint.
> Case 2 would probably require adding a 'void intersect(SecurityContraint
> sc)' method to the SecurityConstraint class to enable it to construct the
> correct permissions (and this looks like it would be a non-trivial method to
> implement).
> Comments/Opinions/Flames?

1) seems better from your description. It could be a good idea to 
confirm that the spec change will still be in the final version.
I'd like to add that a lot of this code is unoptimized (it abuses 
substring, whereas it could likely use region matching), so maybe it 
could be a good opportunity to improve it (along with BASIC auth handling).


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message