From dev-return-189888-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Thu Mar 29 20:07:51 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id AA1B3180645 for ; Thu, 29 Mar 2018 20:07:50 +0200 (CEST) Received: (qmail 46015 invoked by uid 500); 29 Mar 2018 18:07:49 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 46003 invoked by uid 99); 29 Mar 2018 18:07:49 -0000 Received: from mail-relay.apache.org (HELO mailrelay1-lw-us.apache.org) (207.244.88.152) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Mar 2018 18:07:49 +0000 Received: from Christophers-MacBook-Pro.local (pool-173-66-120-163.washdc.fios.verizon.net [173.66.120.163]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 7E6532A40 for ; Thu, 29 Mar 2018 18:07:48 +0000 (UTC) Subject: Re: Request for comment on BZ 59750 (authentication listener) To: dev@tomcat.apache.org References: From: Christopher Schultz Message-ID: <624a29b7-9be4-202a-0310-148430ef7a6d@christopherschultz.net> Date: Thu, 29 Mar 2018 14:07:47 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qYmOQFUCrEO45OqiXOkjYLy98cgi2TzA4" --qYmOQFUCrEO45OqiXOkjYLy98cgi2TzA4 Content-Type: multipart/mixed; boundary="COofNdslbyXGo71VTT8nG4shlo7dvXfT3"; protected-headers="v1" From: Christopher Schultz To: dev@tomcat.apache.org Message-ID: <624a29b7-9be4-202a-0310-148430ef7a6d@christopherschultz.net> Subject: Re: Request for comment on BZ 59750 (authentication listener) References: In-Reply-To: --COofNdslbyXGo71VTT8nG4shlo7dvXfT3 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable R=C3=A9my, On 3/29/18 11:41 AM, R=C3=A9my Maucherat wrote: > On Thu, Mar 29, 2018 at 3:48 PM, Christopher Schultz < > chris@christopherschultz.net> wrote: >=20 >> All, >> >> For reference: https://bz.apache.org/bugzilla/show_bug.cgi?id=3D59750 >> >> I've got a proposal (in patch form) attached to that BZ issue. >> >> Ralf's enhancement request is fairly terse, but this is something I'd >> like to have as well. >> >> The requirement is to be able to log failed authentication attempts. A= s >> it stands, using container-managed authentication does not allow this >> (as far as I can tell). >> >> My proposal is essentially a new listener interface that authenticator= >> classes will invoke (if registered) when an authentication event occur= s >> (success or failure). The Request object and username are currently >> arguments to the two methods on the interface. >> >> You can read the entire current path without even scrolling your scree= n. >> >> Before attempting to publish a more complete patch, I wanted to know i= f >> there was any appetite for this kind of thing, or any objections. >> >=20 > Ok with the idea, but the patch is indeed very incomplete. Absolutely. I wanted to make sure there were no -1s before I spent much time on it. That represents maybe 5 minutes of work :) Some specific questions: For FormAuthenticator: there are several calls to authenticate() in doAuthenticate. I chose to ignore the call at the top of the method because I didn't understand the purpose. Something about re-authentication of a previous-authentication? Would it be appropriate to also fire an authentication event at that time? For Basic/DigestAuthenticator: since technically the user is being authenticated at *every* request, should we bother trying to avoid spamming the Listener, or should we let the Listener decide how to handle the huge number of events it will likely get? Does Tomcat know whether the authentication is a re-authentication or not? If so, should it let the Listener know this is a re-authentication? Implementing a listener in a webapp: can a listener be registered from within the web application without any ClassLoader weirdness? What options exist for writing a listener that doesn't require a compile-time dependency on Tomcat? (I suspect this is unavoidable, because even if reflection is used to invoke the listener's method by *name* and not via an interface-call, the Tomcat-specific Request class is a parameter to the interface methods. Changing that to "Object" kind of defeats the purpose of the interface.) Thanks, -chris --COofNdslbyXGo71VTT8nG4shlo7dvXfT3-- --qYmOQFUCrEO45OqiXOkjYLy98cgi2TzA4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlq9K3QACgkQHPApP6U8 pFgRTA/7BF5NVWzvpiQyG5+Abyj9+x758zdl/p0X1N/yG3AIh/Vgk4o/UY/DK9/k 6s3icLUfPgSeYRjCIM7t9gbwqK/xzi0f+3+pZLTAlkTMVjxG1YqO2eH/72p2ORHD HT7dm6nVdd4WCuwFq6LxrVdRQ4qccxmKkTbNSyf26T87lWD9Qg+v/dvcGAbEWuWn lrP4umAuW9jmP7n0kqfrn3iRwiHzLUBIMMdA6kNWBTstxQVp3A/6mgrzHH/NuoUy q0Id8EfPuo07w1jLkZc//EoADsqVBbY3pyBXjJfGOYu2DyPY5i1PZUayoLAvWW7s A+Z0mQqex0x6L50+HXv7zQOd6VQae4RGDNqw7/iP2tQOTef4tb+LonY6cI/d2tJU d+FzyX3JAQSL6bG16JQqOE/OZHXe7H/TTbDis7DIQ4IbmdbcRZXWOQIiE0nhir5m 5Jd2kDZwFZPP0yz0SG6B4dIEy5MUyBGsHgxpkuV8Cn+qxG++V7+VP/oNkACGaW9I yn/45YuGZfOVXV1tFyT+JTtkt/hT+6aYZQgAGJmWZLnq1nYQ8zVtIwNbWn+T4MF2 wluBLimiBD/kXVZ5KbCqLSxEd7lfXbFKVOEBk8SRjrEUpAtorvb9FRfRppa2rAN4 sdz0cDTjkiBwUbHBYmbmT1R4EBSqAjB055asPhKq9MgruyRnbXo= =lUmW -----END PGP SIGNATURE----- --qYmOQFUCrEO45OqiXOkjYLy98cgi2TzA4--