tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arjan Tijms <>
Subject Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x
Date Fri, 04 Dec 2015 13:17:33 GMT

See you guys are making good progress with the JASPIC implementation in

One commit that I noticed is the following:

It says: "Remove the programmatic login/logout override, as I don't see how
JASPIC can interact with it."

I haven't looked further for the exact context here, but in general JASPIC
interacts with both the corresponding methods in HttpServletRequest.

In case of login(), an exception has to be thrown when a SAM is configured.
The rationale is that a SAM can't handle just login(), as a SAM is an
authentication mechanism that may or may not delegate to an identity store.
Login() is intended to go to a server specific identity store (Tomcat calls
it realm). Since there's no standard mechanism for a SAM to delegate to
this server specific identity store, it can't handle login(), hence the

In case of logout(), next to what the server normally would do, the SAM's
cleanSubject() method has to be called.

Hope this helps.

Kind regards,
Arjan Tijms

View this message in context:
Sent from the Tomcat - Dev mailing list archive at
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message