tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Tomcat 7 and securityfilter [or A Love Letter to markt]
Date Tue, 30 Mar 2010 22:50:51 GMT
On 30/03/2010 23:05, Christopher Schultz wrote:
> All,
> One of the major architectural changes I've heard about coming in Tomcat
> 7 is the removal of the Valve interface in favor of using the standard
> javax.servlet.Filter interface.

Getting Tomcat 7 to move from Valves towards Filters is one of my pet
projects. There is still a long way to go and it isn't at the top of my
todo list.

> IIRC, the current implementation of container-managed authentication and
> authorization is done using a Valve (or series of Valves).

It is currently a single Valve.

> If Tomcat is moving to Filters rather than Valves, does that mean that
> Tomcat authentication will be done using Filters, or is there some other
> strategy in the works?

The strategy is to move to filters. The tactics are somewhat lacking in

> I ask because a Filter-based authentication and authorization strategy
> would duplicate the work of securityfilter (and probably be more
> up-to-date, but that's beside the point).

Potentially. I see security filter is essentially Apache licensed. Hmm.
I feel a Baldrick[1] moment coming on.

> I would actually prefer that Tomcat go with a Filter-based
> authentication strategy because of the flexibility which can be achieved
> by intercepting the call chain without having to dive into the internals
> of Tomcat.
> What's the plan for T7-auth?

At the minute, implement JSR-196 once the Servlet 3.0 is completed (it
is very close) with a valve to filter move for authentication probably
pushed back to Tomcat 8.

SecurityFilter is an obvious starting point. How do you feel about
contributing some patches with the aim of merging the SecurityFilter
code into Tomcat? Is it feasible to do this incrementally or would it
need to be in one big patch?



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message