tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52500] Improve client certificate authentication
Date Tue, 14 Feb 2012 08:00:19 GMT

--- Comment #23 from Michael <> 2012-02-14 08:00:19 UTC ---
Dear Christopher,
Thank you for the fast reply!

>That looks great.

>I'm not sure why either of these are necessary. 
>I think that UserNameRetriever (maybe a better name 
>would be X509UserNameRetriever now that I think about it)
>interface, the SubjectDNRetriever, and minimal changes to RealmBase.

I am confused. According to my understanding, we want to provide the ability to
use a user provided X509UserNameRetriever.

The purpose of UserNameRetrieverDecorator is to return the user name by the
default X509UserNameRetriever if the X509UserNameRetriever provided by a user
will return the empty user name.

I can move the UserNameRetrieverDecorator code to RealmBase, but I think it is
clearer if it is in the different class.

Please tell me what you think about it.

Regarding UserNameRetrieverConfiguration – it allow easy configuration of a
user provided X509UserNameRetriever.

I think it is very useful if you create your own X509UserNameRetriever.
Please tell me what you think about it.

>Note that no changes are required to the Realm interface: the selection of a
>UserNameRetriever is an implementation detail that can safely be left in

Ok, got it.

> If you do submit another one, please don't include 
>"@author" tags in the source files:

I will provide another patch upon your comments without the @author tag and
with X509UserNameRetriever name.

>Look at the file webapps/docs/config/realm.xml for the source to
>the current "Realm" configuration page:
> that's the proper place to document the new configuration 
> attributes and describe how they can be used.

Ok, I will do it. I think to add the new configuration attributes into the
Common Attributes section.

Please tell me what you think about it.

>Basically, no documentation should be required 
>that isn't part of your patch.

So, I will not provide the client certificate description. Correct?
Waiting for your comments.

Best regards,

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message