tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "vsajip \(yahoo.com\)" <vsa...@yahoo.com>
Subject Problems with Tomcat4 Security Design
Date Fri, 25 Oct 2002 22:06:29 GMT
I'm having problems using the Tomcat 4 security design for a slightly
customised requirement. I've created a custom realm for an external
information provider which, when I authenticate a user, gives me a token (in
the form of an essentially opaque object). This token needs to be passed
back to the external provider when accessing data protected by that
realm/external provider. I also need to enable single sign-on for a whole
virtual host.

I've got almost everything working correctly - my custom realm authenticates
correctly, and SSO with it works. However, I can't do anything useful with
the external information provider, since the current design provides no way
to put the token object from the realm into a request, where it could be
accessed by a servlet, JSP etc. This is because the realm has no access to
the request - you need an authenticator for that. I tried subclassing
FormAuthenticator, but it's of no use - an authenticator has to be placed
into a context, and can't be placed into a host! So to achieve SSO, I have
to add the authenticator as a valve into every Context. I'd rather not do
this unless it's unavoidable - and anyway, what would be the way of getting
the token out of the realm into the authenticator? Can anyone suggest a
clean alternative way of getting things to work in the scenario I've
described?

Also, why is it necessary to have getPassword(String username) and
getPrincipal(String username) in every Realm, especially as they all return
null except for the versions in MemoryRealm?

The idea of orthogonal realm and authenticator is nice in theory, but it
seems that what I need is something like an Authenticator and Realm rolled
into one. I'd appreciate any comments from those of you with experience in
this area. (This is my first post to the list, so please be patient if I
have missed something simple. I have searched the mailing-list archive for
similar problems and found no joy.)

Thanks,

Vinay Sajip




--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message