tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57708] [Patch] Authentication by reverse proxy, authorization by Tomcat
Date Wed, 18 Mar 2015 10:43:15 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=57708

--- Comment #4 from Mark Thomas <markt@apache.org> ---
I did look at this yesterday and I got as far as having something ready to
commit but I'm not entirely happy with.

The question is where to do the authorization.

If authorization is done in the CoyoteAdaptor (the Context and therefore the
Realm is available) then it will work regardless of the Authenticator
implementation that is used. The down side is that it happens before the
Principal caching that avoids large numbers of Realm lookups is reached (this
is in AuthenticatorBase). It also makes an assumption that the request mapping
won't changed (e.g. by the RewriteValve).

If authorization is done in AuthenticatorBase then Connector authorization
depends on the Authenticator implementation and that doesn't seem right.

I've looked at several options and - so far - all of them have issues. I'll
spend some more time thinking about this.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message