tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat's container architecture - Authenticator
Date Wed, 28 Nov 2007 17:09:16 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Barbara,

Bárbara Vieira wrote:
> My question is: why we are putting the Principal in the Request?

So that request.getUserPrincipal() will return a value.

> Why we can’t just authenticate the user if there is a principal in 
> internal Session?! Doesn’t make sense, put the Principal in the 
> Request, and after in the authentication method we just test if there
>  is a Principal in the Request and return true.

A request may be checked multiple times for authentication (think
server-side forwards, etc.) so it's a small optimization to cache the
principal in the request -- and it satisfies the requirement that
request.getUserPrincipal() actually works, so it makes sense.

> In others words, what kind of security this process provides?!

There will never be a Principal object that has not been properly
authenticated. Is that good enough security for you?

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHTaC89CaO5/Lv0PARArZNAJ9GTktlPVu1+Q3a9CMkxbtdAB5V4QCeJJwm
K6u4yM6jdG/l+IA/p/WT0TI=
=lF0e
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message