You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Craig R. McClanahan" <Cr...@eng.sun.com> on 2000/12/13 03:40:20 UTC
Re: How to role your own
Security/RequestInterceptor?(SimpleRealm::authorize() question)
Mike La Budde wrote:
> Please note: I'm using Tomcat 3.2
>
> 1) I'm interested in creating my own RequestInterceptor for security
> purposes. Using SimpleRealm as a base/model, it is clear that I must
> implement at least the following two functions:
>
> public int authenticate( Request req, Response response )
> public int authorize( Request req, Response response, String roles[] )
>
> The authenticate() is clear, since it simply calls req.setRemoteUser( user );
>
> However, I'm a little confused by the behavior of the authorize() function.
> It returns a 401 when the user is not authorized (which is fine) but it
> returns a 0 if the user is authorized. How come it doesn't return a 200??
I didn't write the interceptor stuff, so don't blame me for inconsistencies in
result codes :-). More seriously, I believe this was modelled after the way that
Apache modules work, where zero is the usual response that says "keep going".
Returning a "200" would mean "stop processing this request and just send back a
200 status with no response data" -- probably not what you want.
Instead of looking at SimpleRealm as a model, you might want to look at JDBCRealm
(in the same org.apache.tomcat.request package) instead. In fact, if all you
want to do is store users and roles in a database, you can probably just use this
and not even write one yourself.
>
> 2) Is there an easier/better method for implementing your own security
> mechanism into Tomcat?
>
As above, see if JDBCRealm meets your needs.
>
> 3) What are other people doing to implement security?
>
> 4) I'm assuming that anything I do for this will _NOT_ be portable (at
> least not without some effort) to a different JSP/Servlet engine. Any
> thoughts, comments, experience with this?
>
Yep -- request interceptors (Tomcat 3.x) and valves (Tomcat 4.x) are container
specific mechanisms. Different containers offer differing support for
integrating your own authentication inside the container.
In a servlet 2.3 environment (i.e. Tomcat 4.0), however, you have the additional
option to implement security in a Filter. These are portable across 2.3
containers in the same way that servlets are.
>
> TIA,
>
> Mike
>
Craig
>
> PS: The misspelling (role) in the subject was intentional ;-) Any others r
> juste my dum misteaks...
>
:-)