tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <>
Subject Re: Setting JK_REMOTE_USER help
Date Thu, 17 Jun 2010 07:31:34 GMT
On 17/06/2010 02:41, Marc Boorshtein wrote:
>>> The problem with the Realm system is its designed with the assumption
>>> that tomcat is doing the authentication which is not a valid
>>> assumption in an environment where the authentication is seperated
>>> from authorization.  The entire point of container security is that as
>>> a coder I don't have to worry about how any of this is implemented.
>> The problem with Tomcat is that all too often it doesn't do what people
>> expect it should do*.
>> p
>> * Or maybe the problem isn't Tomcat.
> I'm not looking to start a holy war here, but is there anything
> incorrect in what I said?  Tomcat is a servlet container, the servlet


You made a sweeping statement about container managed security which
implied that things should just work.  Someone has to make them work.

As an app developer you might not have to worry about how the bits
behind the API work, but some admin has to configure it properly.

> API is a contract between the container and the developer, the
> contract specifies how a developer would access role information
> regardless of the implementation.  Since the Realm implementation
> assumes that Tomcat is doing the authentication and breaks when it
> isn't Tomcat, isn't that a violation of the contract?  

No.  I don't think it is.

Your specific need might not be handled by the Realm implementations
supplied with Tomcat, but that's not proof that either design of Realms
is flawed or that Tomcat isn't spec compliant.

> It's open
> source, so I'm not complaining or demanding anything.  I think I know
> how to do what I need however that doesn't change the facts of the
> situation that Tomcat does not have the built in capability for a
> standard realm to simply retrieve user infomation as opposed to
> authentication AND user retrieval that would enable Tomcat to maintain
> its compliance while being fronted by Apache.

The explanation you provided in your 3rd email doesn't sound like
'simply' to me.  You also state that other servlet containers need a 3rd
party agent to achieve the desired result.

If your complaint is accurate then the other 3 servers you name must
also 'violate the contract' because they don't provide what you need out
of the box.


View raw message