tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Tomcat's container architecture - Authenticator
Date Thu, 29 Nov 2007 03:29:57 GMT

"Christopher Schultz" <> wrote in message
> Hash: SHA1
> Bárbara,
> Bárbara Vieira wrote:
>> But if we have the Principal in cache, why we have to call the
>> authenticator method(FormAuthenticator)? That call doesn't provide any
>> additional security, can you understand now?
> That's a good question. Given the current implementation, it doesn't
> seem to make sense. On the other hand, the original designers could have
> determined that some /other/ authenticator might want to wrap (or
> otherwise change) a request even if the Principal were already available.

You can't easily wrap the TC internal Request for 5.5+.  But this is the 
main reason.  When deriving from AuthenticatorBase, the actual Authenticator 
implementation has the final say (via it's authenticate method)  on who to 
except.  The Authenticators that ship with Tomcat will accept that a 
previous Valve has authenticated the user (e.g. a custom SSO Valve), but 
that isn't actually part of the contract for Authenticator.

This suggests that the OP would have an easier time if she created a custom 
Valve (that doesn't implement the Authentictor interface), say 
com.myfirm.mypackage.MySSLAuthValve, and in web.xml specify FORM auth. 
Since configured Valves get invoked before Container Valves (as TC is 
structured now), it would have first choice of authenticating.  If 
MySSLAuthValve sets the Principal in the Request, then TC's 
FormAuthenticator will just quietly accept it.  If it doesn't, then you get 
normal FORM auth from TC.

> If you're writing your own, why not simply re-write the code the way you
> think best and then test the heck out of it. Try the tomcat-dev list to
> see if someone can answer. Perhaps it's just legacy code that could be
> further optimized.

Suggestions on how to improve the Authenticators that ship with TC are 
always welcome on dev@tomcat.  But help on rolling-your-own-Authenticator 
will likely get you pointed back to this list :).

> - -chris
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iD8DBQFHTekx9CaO5/Lv0PARAoo/AJ47Gx7MrW/kVBkpjmu7b40dovvS4QCfWAlm
> sQYLWxYa/+5ImWvYJNraz6w=
> =wlbi
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message