tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Jaspic (jsr 196) support in tomcat
Date Thu, 16 Jul 2009 17:30:12 GMT
While looking into some problems with the tomcat integration in  
geronimo around ejb web service security and the jacc integration I  
realized the simplest way to fix all the problems at once was to  
rewrite web security including jaspic support.

The new implementation is at

and it needs a couple ContextConfig classes in the parent directory to  
get installed and work.

The main idea here is to replace the Realm with a SecurityValve that  
delegates authentication decisions to an authenticator and  
authorization decisions to an authorizor.  The authenticator is  
similar in concept to the jaspic ServerAuthContext but more adapted to  
servlets.  The authorizor exposes the authorization decisions called  
for by the jaspic spec servlet profile.

I have authenticators for the build in auth methods and also a jaspic  
So far I have only a jacc authorizer but it should be easy to adapt  
the old code to write one that uses the tomcat constraint objects.

The part that doesn't fit very well is that the Realm concept is used  
to implement isUserInRole.  I wrote a Realm implementation that uses  
JACC for this.  If I were to consider a patch to tomcat for this I  
would eliminate the Realm concept and have a new interface for the  
isUserInRole decision.

I have not yet tried running the jaspic tck on this so don't know how  
many bugs there are in the jaspic adapter.  Regular security seems to  
work OK.  Most likely I will spend a little time on this in the next  
few days.

I developed most of the ideas for the web-adapted interface and  
adapter working on the jetty jaspic integation.  In particular jetty  
wanted to be able to run without the jaspic api jar, and since this  
seemed like it might be desirable for tomcat as well, no jaspic  
classes are used outside the jaspic adapter.

I think it would be great if the tomcat community integrated some  
version of this code in perhaps tomcat 7 but I do not expect to be  
providing any patches to tomcat for this.  I'm happy to talk about the  
code, but I'm more likely to see discussion on the geronimo dev list.

david jencks


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message