tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arjan Tijms <arjan.ti...@gmail.com>
Subject Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x
Date Fri, 04 Dec 2015 13:17:33 GMT
Hi,

See you guys are making good progress with the JASPIC implementation in
Tomcat.

One commit that I noticed is the following:
https://github.com/apache/tomcat/commit/3e1b4931867a12a74e9e9fe7ff86484cc65a21e6

It says: "Remove the programmatic login/logout override, as I don't see how
JASPIC can interact with it."

I haven't looked further for the exact context here, but in general JASPIC
interacts with both the corresponding methods in HttpServletRequest.

In case of login(), an exception has to be thrown when a SAM is configured.
The rationale is that a SAM can't handle just login(), as a SAM is an
authentication mechanism that may or may not delegate to an identity store.
Login() is intended to go to a server specific identity store (Tomcat calls
it realm). Since there's no standard mechanism for a SAM to delegate to
this server specific identity store, it can't handle login(), hence the
exception.

In case of logout(), next to what the server normally would do, the SAM's
cleanSubject() method has to be called.

Hope this helps.

Kind regards,
Arjan Tijms




--
View this message in context: http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5043520.html
Sent from the Tomcat - Dev mailing list archive at Nabble.com.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message