AW: User Authentication

[Unger Richard <ru...@camino.at>]

Hi!

I agree with your analysis...

Richie



-----Ursprüngliche Nachricht-----
Von: O.Geisser@ceyoniq.com [mailto:O.Geisser@ceyoniq.com]
Gesendet: Mittwoch, 21. August 2002 14:10
An: slide-user@jakarta.apache.org
Betreff: RE: User Authentication 


Hello!

I'm new to Slide, too. But I think I have understand
why there is such a confusion about user authentication with Slide.

I will describe what I think is happening and someone who knows
better should correct me if I'm wrong.

First I want to make sure that everybody understands the difference
between authentication and authorization.

authentication

To verify the identity of someone.
Usually this happens when you give a username + password.
The username gives the identity and I only believe this if
the password is correct.

authorization

To decide if someone is allowed to do something.
An example: is user "joe" allowed to "GET" this file (ressource) ? 

So before you can "authorize" someone for some action you need to
"authenticate"
him to know his identity.


So back to a Tomcat and Slide.

The authentication is done by Tomcat. In Tomcat you configure something
called a "realm" or "security realm".
A "realm" is the configuration of a user/password DB which is used for
the authentication. There are many possibilities where you can store this:
in memory, in a database, in a LDAP server, ...

You also configure for every webapp which "realm" to use (where does Tomcat
find the allowed usernames/passwords) and which users have access to this
webapp.

With other words: you also configure the "authorization" to access a webapp
in it's whole.

Everything up to here happens in the Tomcat layer.

If Tomcat decides that you have access he delegates the request to the web
app.
For Slide this is the WebDAV Servlet.

Now inside Slide there is second "authorization". To make this work
Slide must find a "node" for the user (Tomcat tells the web app the user
name)
below the /users folder. If Slide does not find the name or he finds the
user
but this user does not have access rights (does not have an valid ACL entry)
he denies the access.

To summarize the above:
There are two places where you must insert information about an user:
1) In the "realm" used by Slide
2) In the Slide "user directory"; in the default config below "/slide/users"

Because this is error prone there is an alternative.
There exists a special "realm" implementation - the "SlideRealm".
This "realm" uses as it's datasource the Slide "user directory". So this
unifies 1) and 2) and they can not differ.

But there is a drawback: because you need access to Slide in the SlideRealm
class
you need to move the needed java jars from the web app directory into the
global
Tomcat lib directory. This is needed because by design the classloaders of
Tomcat
and every web app are seperated in a certain way.

Please excuse my errors but english is not my native language.

I hope you get the idea.

cu

Olli

--
Ceyoniq Technology


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>