tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Progress Check-In for Security Enhancements
Date Mon, 18 Oct 1999 03:41:56 GMT
The TOMCAT-DEV mailing list server choked on my CVS check-in
confirmation message for a bunch of new modules (40kb seems like an
awfully low limit for this type of message).  I've pasted below the
comments I added -- all the code is new, so just do a cvs update (or the
equivalent for your environment) and look for the new files in directory

-------------------------- <Pasted Comments>

  Added:       src/share/org/apache/tomcat/security/file
                        tomcat-users.dtd tomcat-users.xml
  Progress check-in of the code for a file-based implementation of the
  RealmConnector interface (which is proposed to replace the existing
  RequestSecurityProvider interface in org.apache.tomcat.core).  This
  compiles cleanly, but has not been tested.  In fact, there are many
  comments marking TODO items that must be resolved before it *can*
  function, and we will need to have a utility program to create the XML

  file with the encrypted password strings.  However, it is worth
  this in its current state for review and comment by the community.

  There are no linkages to this package in the existing code base yet,
  nothing should get broken.

  The included files (package are as
  follows: -- Application constants for this package, following
        the usual Tomcat pattern (but with at least a couple comments
:-). -- Implementation of the RealmConnector
        interface, interacting with a FileRealmDatabase object that
        will have been loaded from an XML file.  Note that, as with
        the RealmConnector interface itself, the available methods
        only answer the questions that a Context needs to ask -- in
        particular, the deployment descriptor only knows about users
        (principals) and roles, not about groups.  It is up to each
        RealmConnector implementation to adapt these questions to the
        underlying data structures of the security domain being
accessed. -- Database object representing the contents
        of an XML file conforming to the "tomcat-users" DTD.  This is
        a separate object because it will be needed by administrative
        applications that create and update users, groups, and roles. -- In-memory representation of a group, with its
        associated users and roles. -- In-memory representation of a user, with its
        associated groups and roles.

  tomcat-users.dtd -- DTD for a file-based security domain (this is
        basically Pier's proposed DTD with some comments added)

  tomcat-users.xml -- Example "database" contents that conforms to the
        DTD (this is basically the example proposed on the TOMCAT-DEV
        mailing list).

  Once the RealmConnector concept is accepted and integrated with the
  additional implementations for other security domains need to be
  developed.  In particular, a RealmConnector implementation that
  the Apache connector's linkage back to Apache is needed for
  of the Apache + Tomcat combination.

-------------------------- </Pasted Comments>

Craig McClanahan

View raw message