tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: How to role your own Security/RequestInterceptor?(SimpleRealm::authorize() question)
Date Wed, 13 Dec 2000 02:40:20 GMT
Mike La Budde wrote:

> Please note: I'm using Tomcat 3.2
> 1) I'm interested in creating my own RequestInterceptor for security
> purposes. Using SimpleRealm as a base/model, it is clear that I must
> implement at least the following two functions:
>      public int authenticate( Request req, Response response )
>      public int authorize( Request req, Response response, String roles[] )
> The authenticate() is clear, since it simply calls req.setRemoteUser( user );
> However, I'm a little confused by the behavior of the authorize() function.
> It returns a 401 when the user is not authorized (which is fine) but it
> returns a 0 if the user is authorized. How come it doesn't return a 200??

I didn't write the interceptor stuff, so don't blame me for inconsistencies in
result codes :-).  More seriously, I believe this was modelled after the way that
Apache modules work, where zero is the usual response that says "keep going".
Returning a "200" would mean "stop processing this request and just send back a
200 status with no response data" -- probably not what you want.

Instead of looking at SimpleRealm as a model, you might want to look at JDBCRealm
(in the same org.apache.tomcat.request package) instead.  In fact, if all you
want to do is store users and roles in a database, you can probably just use this
and not even write one yourself.

> 2) Is there an easier/better method for implementing your own security
> mechanism into Tomcat?

As above, see if JDBCRealm meets your needs.

> 3) What are other people doing to implement security?
> 4) I'm assuming that anything I do for this will _NOT_ be portable (at
> least not without some effort) to a different JSP/Servlet engine. Any
> thoughts, comments, experience with this?

Yep -- request interceptors (Tomcat 3.x) and valves (Tomcat 4.x) are container
specific mechanisms.  Different containers offer differing support for
integrating your own authentication inside the container.

In a servlet 2.3 environment (i.e. Tomcat 4.0), however, you have the additional
option to implement security in a Filter.  These are portable across 2.3
containers in the same way that servlets are.

> TIA,
> Mike


> PS: The misspelling (role) in the subject was intentional ;-) Any others r
> juste my dum misteaks...


View raw message