tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bárbara Vieira <barbar...@di.uminho.pt>
Subject RE: Tomcat's container architecture - Authenticator
Date Wed, 28 Nov 2007 18:40:39 GMT
Hi Chris!!


>A request may be checked multiple times for authentication (think
>server-side forwards, etc.) so it's a small optimization to cache the
>principal in the request -- and it satisfies the requirement that
>request.getUserPrincipal() actually works, so it makes sense.

This is not a answer to my question. If you look at the sequence that Request object does
in the invoke method in AuthenticatorBase, and authenticate method in the FormAuthenticator,
you'll see that my question isn't that.
I know that caching data is a optimization. But if we have the Principal in cache, why we
have to call the authenticator method(FormAuthenticator)? That call doesn't provide any additional
security, can you understand now? 

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: quarta-feira, 28 de Novembro de 2007 17:09
To: Tomcat Users List
Cc: 'Carlo Politi'
Subject: Re: Tomcat's container architecture - Authenticator

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Barbara,

Bárbara Vieira wrote:
> My question is: why we are putting the Principal in the Request?

So that request.getUserPrincipal() will return a value.

> Why we can’t just authenticate the user if there is a principal in 
> internal Session?! Doesn’t make sense, put the Principal in the 
> Request, and after in the authentication method we just test if there
>  is a Principal in the Request and return true.

A request may be checked multiple times for authentication (think
server-side forwards, etc.) so it's a small optimization to cache the
principal in the request -- and it satisfies the requirement that
request.getUserPrincipal() actually works, so it makes sense.

> In others words, what kind of security this process provides?!

There will never be a Principal object that has not been properly
authenticated. Is that good enough security for you?

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHTaC89CaO5/Lv0PARArZNAJ9GTktlPVu1+Q3a9CMkxbtdAB5V4QCeJJwm
K6u4yM6jdG/l+IA/p/WT0TI=
=lF0e
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message