tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: formbased security
Date Wed, 06 Dec 2000 02:37:36 GMT
John de la Garza wrote:

> Can someone tell me what the difference is between remote user and principal
> name is?
>
> For example at: http://127.0.0.1/examples/jsp/security/protected/index.jsp
>
> I see:
>
> You are logged in as remote user johnd
>
> Your user principal name is johnd

It depends on how your servlet container implements security.  For Tomcat, the
following rules apply:

* For BASIC, DIGEST, or FORM-BASED authentication,
  using the default SimpleRealm (i.e. the names and roles
  in the tomcat-users.xml file), Tomcat constructs a very
  simple java.security.Principal implementation, using the
  authenticated username as the name, and returns it
  to you.

* For CLIENT-CERT authentication (Tomcat 4.0 only), this
  will be the java.security.Principal object from the first
  certificate in the client certificate chain that was submitted
  by the client.

* If you define your own custom authenticator Realm
  implementation, the returned Principal can be some
  environment-specific object (implements java.security.Principal)
  containing other security related information relevant to your
  environment.

Craig McClanahan



Mime
View raw message