tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <>
Subject Re: Setting JK_REMOTE_USER help
Date Thu, 17 Jun 2010 01:41:27 GMT
>> The problem with the Realm system is its designed with the assumption
>> that tomcat is doing the authentication which is not a valid
>> assumption in an environment where the authentication is seperated
>> from authorization.  The entire point of container security is that as
>> a coder I don't have to worry about how any of this is implemented.
> The problem with Tomcat is that all too often it doesn't do what people
> expect it should do*.
> p
> * Or maybe the problem isn't Tomcat.

I'm not looking to start a holy war here, but is there anything
incorrect in what I said?  Tomcat is a servlet container, the servlet
API is a contract between the container and the developer, the
contract specifies how a developer would access role information
regardless of the implementation.  Since the Realm implementation
assumes that Tomcat is doing the authentication and breaks when it
isn't Tomcat, isn't that a violation of the contract?  It's open
source, so I'm not complaining or demanding anything.  I think I know
how to do what I need however that doesn't change the facts of the
situation that Tomcat does not have the built in capability for a
standard realm to simply retrieve user infomation as opposed to
authentication AND user retrieval that would enable Tomcat to maintain
its compliance while being fronted by Apache.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message