tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Setting JK_REMOTE_USER help
Date Thu, 17 Jun 2010 13:11:48 GMT
On 17/06/2010 13:26, André Warnier wrote:
> I must say that, with my limited knowledge of the Tomcat internals taken
> into consideration, I tend to agree with Marc in this case, if he is
> right in claiming that the Tomcat Realm mixes authentication with
> authorization and does not allow to separate the two.

That is how Tomcat Realms are designed. This is consistent with the
Servlet sepc that leaves the implementation details entirely to the
container. If Tomcat required all authentication requests to be made via
carrier pigeon then that would be spec complaint providing the correct
information was exposed via the API defined in the spec.

> At the very least, I would expect the Realm to check first if the
> request already has a user-id, and skip the authentication part in such
> a case.

Easier said than done. The Realms deliberately have no visibility of the
request or the response. The Authenticators extract the username and
password, pass them to the realm to obtain an authenticated Principal
(with roles) and then the Authenitcators populate the attributes that
then support the calls in the Servlet API.

The way to handle this (probably) is to modify the Authenticators
(hopefully just the base class) to check for an already authenticated
user. If one is found, use the realms just to get the roles. The
implementation for that is already in place. It just needs adding to the
interface and the visibility changed. Then you just need to figure out
how to merge the existing Principal (that may have roles) with the new
one that has the roles from the Realm.

Tomcat 7's internal API has deliberately been declared as volatile inthe
docs so now is the time to make these changes. Patches welcome.

Note this won't get ported back to 6 due to the API changes required.

> There are many cases out there were Tomcat is only a part of a more
> complex system, where a network-wide authentication is required, while
> the authorization part may still be one that only Tomcat can do.
> A naive linked question : is the <Realm> a purely Tomcat thing, or is it
> mandated by the Servlet Spec ?

100% pure Tomcat.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message