tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Mr. Thomas please check this.
Date Sun, 22 Jan 2006 23:15:52 GMT
Jack wrote:
> When we use client-cert, we might be not using ssl at all since we don't ask 
> confidential transfer.
This is not correct. CLIENT-CERT authentication *requires* ssl. ssl is
still ssl even if NULL encryption is used.

>>A web application may well have a mixed user community,
>>some authenticate by means of a password or other authenticators,
>>others have a certificate for authentication.
The servlet spec gets in the way of some of your ideas here. It
essentially mandates one and only one mechanism for authenticating
users per webapp. There are tricks you can play here but it gets quite
complicated very quickly.

> I have the same opinion. That's why I suggest to use UserContext for each 
> web-app.
The idea of checking multiple realms to authenticate a user should be
a lot easier. I haven't looked at it but I would expect it to be
relatively simple to implement a hybrid realm that contains an ordered
list of realms and checks each of them in turn until the user is
authenticated or it runs out of realms to authenticate against.

> For a specific web-app, all its users' certificate might be in a special 
> place. so some attribute of ssl connector
> should be attributes of UserContext.
You need to be more specific. Which attributes? Greater control
per-realm of how a client certificate is verified is certainly
possible, as is how that certificate is mapped to a user.

> The realms in o.a.c.realm package mixed up authentication & authorization. I 
> suggest to seperate them.
> authentication belongs to UserContext.
The realm handles these processes together because they are tightly
coupled. Separating them will add complexity. What is the
justification for this?

> I hope my information can be a little bit helpful to you.
Some of your ideas have potential but others are clear non-starters.
To make your information more useful I would suggest some detailed
research followed by the development of one or more concrete
proposals, preferably supported by patches. Keep each proposal/patch
focussed on a single issue. I would suggest that a detailed study of
the authentication and authorisations sections of the servlet spec and
the low-level workings of SSL would be good places to start your research.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message