tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From D M <>
Subject Re: I have some new FormAuthenticator code for Tomcat.
Date Mon, 27 Jun 2005 20:08:43 GMT

Hi Mark,

Thanks for your comments. My responses inline.

>1. Your reference to sending an encrypted user certificate file to the 
>server demonstrates a lack of understanding of PKI that undermines my 
>confidence that you know what you are doing when it comes to security.

I think I wasn't being clear here. I didn't mean a certificate file as used in PKI. I was
simply giving an example of some other type of data (besides a simple string) that could be
used as an authentication key. The example was simply a file of any sort.

>2. JAAS provides plug-in authentication.

Sure it does, but NOT for FORM logins. Tomcat (and all other java web servers I've come across)
allow only authenticating with a username and password. This gives flexibility with FORM logins
working with Tomcat.

>3. Password hashing is already supported.

While password hashing may be supported, that is only ONE example of a manipulation that might
be required on a key for authentication. Everytime a new mechanism arises, making a new implementation
in Tomcat can create a bit of a mess, but with this form auth API, you can just plug it in.

>4. The implementation is Tomcat specific and hence is non-portable.

That's true in the short but as I said there was no change of Tomcat's code and the internal
implementation of Tomcat is actually hidden from the Plugin classes. So it's actually quite
easy to make an implementation of this for a number of web servers (and I'm actually making
one for Jetty right now). So you could keep these classes as their own API that plugs in to
Tomcat (which is how I made it. The only class Tomcat needs to know about is FormAuthenticator).


Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message