tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: [VOTE] Short Term Plan: Add Security Management Capabilities to Tomc
Date Sun, 17 Oct 1999 17:21:31 GMT
> > [snipped to include just the relevant responses]
> > You might find it useful to abstract a concept of "realm" (also,
> > called security domain) that has a set of users and groups. So,
> > that you can extend it easily to support different types of users.
> >
> In a previous response, I outlined an approach whereby multiple web-apps could share
> security domains (realms) if they wanted to, without having to represent the
> security realm itself as an object.  We can of course make security domains first
> class objects like contexts are, but it didn't seem necessary.

I didn't get your email, but I think security domain should be "first class objects".
We need in fact 2 interfaces - one for Authentication and one for Authorization
( ACL-like), and both are too generic to make them anything but "first class".

IMHO it would be nice to also have them independent of the servlet API, and
use the Interceptor to connect the servlet API with the authentication/authorization

SimpleAuthInterceptor will extract the user/password from a Request and
use Authentication to check the password ( note: many authentication services
like Radius, Tacacs do not allow you to see the password, but only to check it).

Anyway, one interesting reading would be the PAM specs. We should not
"invent" a new wheel - it's better to find an existing model and base our design
on it.

My guess is that subject will grow very big, and we shouldn't go for the simplest
but use a design that will allow us to expand ( i.e. more than the current interface,
that reflect only current needs ).

There are many models to represent realms/users/authentication/authorization.

( good "readings before writing" would also be: Radius and Tacacs for authentication)


View raw message