tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike La Budde <mike.labu...@irista.com>
Subject How to role your own Security/RequestInterceptor? (SimpleRealm::authorize() question)
Date Tue, 12 Dec 2000 22:13:12 GMT
Please note: I'm using Tomcat 3.2

1) I'm interested in creating my own RequestInterceptor for security 
purposes. Using SimpleRealm as a base/model, it is clear that I must 
implement at least the following two functions:

     public int authenticate( Request req, Response response )
     public int authorize( Request req, Response response, String roles[] )

The authenticate() is clear, since it simply calls req.setRemoteUser( user );

However, I'm a little confused by the behavior of the authorize() function. 
It returns a 401 when the user is not authorized (which is fine) but it 
returns a 0 if the user is authorized. How come it doesn't return a 200?? 
Here's part of the RequestInterceptor interface:

     /**
      *  Will check if the current ( authenticated ) user is authorized
      *  to access a resource, by checking if it have one of the
      *  required roles.
      *
      *  This is used by tomcat to delegate the authorization to modules.
      *  The authorize is called by isUserInRole() and by ContextManager
      *  if the request have security constraints.
      *
      *  @returns 0 if the module can't take a decision
      *           401 If the user is not authorized ( doesn't have
      *               any of the required roles )
      *           200 If the user have the right roles. No further module
      *               will be called.
      */
     public int authorize(Request request, Response response,
                          String reqRoles[]);

2) Is there an easier/better method for implementing your own security 
mechanism into Tomcat?

3) What are other people doing to implement security?

4) I'm assuming that anything I do for this will _NOT_ be portable (at 
least not without some effort) to a different JSP/Servlet engine. Any 
thoughts, comments, experience with this?

TIA,

Mike

PS: The misspelling (role) in the subject was intentional ;-) Any others r 
juste my dum misteaks...

/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - - - - - */
  Michael H. La Budde                    email:  mike.labudde@irista.com
  Prosoft, Inc.                                  phone:  414-860-6509
  mike@prosoft-inc.com           fax:    414-860-7014
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - - - - - */


Mime
View raw message