tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
Date Fri, 20 Jan 2006 06:36:41 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=7831>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=7831





------- Additional Comments From mario@ops.co.at  2006-01-20 07:36 -------
> I am minded, however, to use your
> patch as a basis for an implementation of getPrincipal() rather than over-riding
> authenticate(X509Certificate).
Sorry, I dont know what you mean.
I use "authenticate(X509Certificate)", whats bad with it? Thats the place where
authentication should occur, no?
But I dont know the latest codebase, so it will be that some stuff has been changed.


> In terms of suporting muliple LDAP servers my intention is to provide something
> that works for OpenLDAP and can be over-ridden as required for other directories.
Something which my patch tries to address to.
There are implementations for ActiveDirectory and OpenExchange (I guess this is
OpenLDAP)

> 1. I moved the classes into the o.a.c.Realm package.
> 2. Please keep to the coding standards of the original when copying source. It
> makes it much easier to find where you have made any subtle changes.
Yes. Sorry for this.

> 3. CertUser looks to be unnecessary - why not use User from JNDIRealm?
I need CertUser to be able to hold both, the username and the dn of the ldap entry.
Internally it works with the "dn" but as username it will use what ever the user
configured to use.
I dont wanted to pass the rather large dn (and meaningless from the point of the
application) back to the application.

> 4. Your changes to authenticate(String, String) appear to be unrelated to adding
> support for certificates. Please keep patches for different issues separate so
> they can be considered separately. Feel free to file a new bug for this one.
As you might have seen I started coding mid 2003, so I cant remember what I
changed here, though, the best would be to make it possible to extend JNDIRealm
and change only what needed to handle the certificate stuff.
For some reason I cant rembemer this was not possible.

> 5. You appear to have reverted the patches for bugs 23190, 16541 and 26487. What
> is the reason for this?
> 6. The patch for bug 22236 has also been reverted. Is this intentional?
As I said, I started mid 2003, the last addition in 2005 is based on this rather
old version - none of those bugs were there when I started.

> 7. If there a reason that getCertUserByPattern() isn't supported?
I cant remember.

> 8. A change commiited at the same time as bug 22236 to
> addAttributeValues(String, Attributes, ArrayList) that modified the return value
> from null to values in a couple of places has also been reverted. Why?
See 5 & 6.


All in all I waited all the time to find a tomcat committer which will start
looking at it and point me to the right direction.
My "patch" was meant to be a discussion base and hopefully not that bad so we
can have a cleaned wersion sometimes in the codebase.

Now, it looks like there is one :-)

I can update the patch to the tomcat 5.5.x codebase if wanted.
E.g. starting to refactor JNDIRealm so that in JNDIRealmCertBase only the
certificate relevant stuff is included.
That way I wont mask the other patches.
It just I am so out of time, so I'll do this only when I know that you pick it up.

Ciao,
Mario

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message