tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: HTTP 400 with Form based authentication
Date Wed, 09 Sep 2015 20:27:12 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sreyan,

On 9/9/15 12:49 PM, Sreyan Chakravarty wrote:
> Okay can you please guide me on how to log the bug. That would be
> great. If possible you could do it yourself also.

1. Register for Bugzilla at bz.apache.org
2. Fill-out this form:
   https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208
   (You can get here from inside BZ, of course, but here's the link
    just in case you need it.)
3. Take care to describe this as best as you can. Feel free to
   reference this thread on the list; links to things like markmail.org
   are great because readers can easily follow them to get the
   context of the discussion, even if it's not fully contained in the
   bug report
4. If you're up for it, propose a patch. You'll get your name into the
   changelog for all eternity :)

> And as far as opinions go I really don't know. The whole process of
> Realms seem confusing to me and its overtly complicated.

Presumably you mean "overly complicated". It's actually not once you
understand the complexity of what's being implemented. The
Authenticator/Realm split exists because any combination of
authentication mechanism (HTTP Basic, HTTP Digest, FORM, TLS-CERT,
etc.) and credential-storage mechanism (e.g. JDBC database, Java
Truststore, flat-file, etc.) needs to be supported.

I've always thought that the names (authenticator and realm) were bad
and confusing (especially because HTTP Basic/Digest uses the term
"realm" to describe the general thing-to-which-you-are-authenticating).

Perhaps better names would be:

authenticator = credential soliciter
realm = credential validator

But these names are far too historic to change, now.

The good news now is that the realms support better than the least
effort possible for a security system. The best you could do a year
ago was to use a single run-through of a supported hash algorithm, and
the default was MD5. Yuck. So, the fact that you can plug-in your own
algorithms for credential mutation is a really great system. To
wire-in scrypt a year ago would have been a mess, unless you just
wanted to write your own Realm that only supported a single authenticato
r.

Anyhow, things are getting better thank to contributions from the
community. Welcome to the community :)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8JYgAAoJEBzwKT+lPKRYIoAP/0ibxPVquauuMJK/qf05H+iy
pUpfplwh1U0WyzhC/B1V2NV7WIxf5QzaX4ld/3EJUu7yZLujA7qRrhMVN+WsCoKw
KghKyXgaLq0kWXQMXn1Aoe/9hiG32XQA59aR3Um+i8fNBv66aoIMj7albHeVFhTG
Dzf3QJAgjU3EKB4vxf+UKomfJkbr4SBOo12NXcQ37Pb5TPgFeHX//5RJBe0xS3Uh
XD+OSYDWi0gMOJfJK5bTar0gpSumzeOu+mX7iPJ6j7QLX1z73bcwG0WTRU0KRqlO
BQjZMe7qLL4Q+G4cbN4UV1lRdO7NYQ7IStHV8r05orY6BZmglaLKTEOHaqRKw2MQ
coaMArpu9eZOz0PN8HdhPT4u6N4EpYlahDZgqrY8hQlwGjatQHGAzdWeQ0i0Mmr+
BnVZT6vozA1d0tx8OUdmyWucgVy252s5iwCa9SZiaMpjugQbEpX9tYu8EQVQREZy
1UWrKcIlOGJ5be1iPWHq1yk6MEdAMDffHvhZdgzCshtzMy/tJ+VgntSjUzsJnu16
TmnlOgcWr5B/DK/ixH6BriHr4fWMLZAhsBR/WST5zgO/4CP0eZeoAGjma5B6V3pJ
Dcw3WvSpgq6dxbHJu8UxFjX3h6bwAEpLtyFo1fH2LwIfzkLN4UEikq7Rxfmcg9K/
j2lu4amIXCn5pmxzahH7
=Ux0j
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message