tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jack" <jack...@hotmail.com>
Subject The original Realm
Date Fri, 20 Jan 2006 09:53:49 GMT
"Terry Zhou" <zhouxc@gmail.com> wrote in message 
news:daa09eb00601200137k6e9fa75cr@mail.gmail.com...
>Tomcat does have a realm in different level(Engine,Host,Webapp) for 
>security.
>Check http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html
Personally, I believe that the original Realm mixed up the authentication & 
authorization.
It should be seperated into Authorizer & UserRealm.

The reason why I suggest to add user package is that the source code of the 
original implementation is not easy to be integrated into the source code of 
web-app.

Principal is web-app dependant



HttpServletRequest.getRemoreUser() returns the name of the user of the 
request. When we use certificates, the return object is not well defined 
since there is no name here.

HttpServletRequest.getUserPrincipal() doesn't have a good definition, 
either. It just says the principal name of the current authenticated user. 
So, what is in the returned Principal object is up to the container, too. 
However, the reason to have such a method is to let the web-app can access 
it. And so, the returned Principal should be web-app dependent. We had 
better to ask the web-app to implement the Principal if the web-app care who 
the user is. In such a case, we had better leave the authentication to the 
web-app (in UserContext), too.



If the web-app doesn't care at all, then we can use GenericPrincipal as the 
current implementation.


jackzhp@hotmail.com




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message