You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/06/24 05:49:38 UTC

[Bug 59750] New: Amend "authenticate" method with context by means of HttpServletRequest

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

            Bug ID: 59750
           Summary: Amend "authenticate" method with context by means of
                    HttpServletRequest
           Product: Tomcat 9
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: hauser@acm.org

Principal org.apache.catalina.Realm.authenticate(String username, String
credentials) and the other authentication methods should be enhanced with the
request.

Purpose: during an authentication, it should be possible in a webApp-level log
to record important details such as 
- remote IP
- SSL cipher
- client cert used (if applicable)

At least interface Authenticator.authenticate() and

   boolean
org.apache.catalina.authenticator.AuthenticatorBase.authenticate(Request
request, HttpServletResponse response) throws IOException

have everything needed.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by Mark Thomas <ma...@apache.org>.

On 06/06/2019 20:06, bugzilla@apache.org wrote:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
> 
> --- Comment #14 from jerry <je...@gmail.com> ---

I've disabled this idiot's account.

I'll delete the comment from the database shortly.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #14 from jerry <je...@gmail.com> ---
Technical side of the main subject. For example Tomcat F14 Fighter Jet.
The specification of a Tomcat will be a good reference.
The complication of the machine and material. 
Will come in handle for us to digest in the long run.
Project basic Etc
In term of troubleshooting And Upgrading.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
What about a listener for authentication events?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #6 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Michael Osipov from comment #5)
> GSSName or X509Certificate and like. I always prefer passing Object and the
> implementation decides about the cast.

Seems reasonable.

Tomcat only supports authentication for string usernames or X509 certificates
(where the "username" is extracted as a String value from the certificate via a
X509UsernameRetriever). Do you still feel there is a need for the
user-identifier to be a generic Object?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #11 from Mark Thomas <ma...@apache.org> ---
JASPIC exposes both the request and the response. The solution to this one
could just be "Use JASPIC".

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #2 from Christopher Schultz <ch...@christopherschultz.net> ---
Created attachment 35824
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35824&action=edit
Draft patch to give an idea of the proposal

See this draft patch for something that might work. At least, it will meet *my*
needs. There is no provision for registering these listeners. It's just an
example of how this kind of thing could work with FormAuthenticator as the
guinea pig class.

Comments welcome.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #8 from Christopher Schultz <ch...@christopherschultz.net> ---
Two additional thoughts:

1. Could this be implemented as a Realm which can wrap another realm? This may
simplify things when a user wants to authenticate using one-of-many concrete
realm implementations.

2. Does JASPIC provide anything like this already, or specify any interfaces,
etc. for this kind of thing?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #10 from Remy Maucherat <re...@apache.org> ---
I agree you could experiment with a combined realm (lockout realm is an example
of that indeed), it would need to call your listener in authenticate and
invoke.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #9 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Christopher Schultz from comment #8)
> Two additional thoughts:
> 
> 1. Could this be implemented as a Realm which can wrap another realm? This
> may simplify things when a user wants to authenticate using one-of-many
> concrete realm implementations.

Justification for Realm over Authenticator:

1. Realm is easier to configure for users than authenticator(s)
2. Realm is more flexible since they can be nested ; you can track failures of
specific realms separately from one another
3. Custom authenticators do not need to be re-written to use this new
capability

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #7 from Michael Osipov <19...@gmx.net> ---
(In reply to Christopher Schultz from comment #6)
> (In reply to Michael Osipov from comment #5)
> > GSSName or X509Certificate and like. I always prefer passing Object and the
> > implementation decides about the cast.
> 
> Seems reasonable.
> 
> Tomcat only supports authentication for string usernames or X509
> certificates (where the "username" is extracted as a String value from the
> certificate via a X509UsernameRetriever). Do you still feel there is a need
> for the user-identifier to be a generic Object?

I would always retain as much information as possible. Regaining it is
impossible afterwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #13 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Mark Thomas from comment #11)
> JASPIC exposes both the request and the response. The solution to this one
> could just be "Use JASPIC".

Sounds great. Now how does one "use JASPIC" to use a simple DataSource for
authentication? If someone who understands JASPIC could do a write-up on how to
configure (or code) against a standard username/hashed-password database table,
that would be very helpful.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #3 from Michael Osipov <19...@gmx.net> ---
(In reply to Christopher Schultz from comment #2)
> Created attachment 35824 [details]
> Draft patch to give an idea of the proposal
> 
> See this draft patch for something that might work. At least, it will meet
> *my* needs. There is no provision for registering these listeners. It's just
> an example of how this kind of thing could work with FormAuthenticator as
> the guinea pig class.
> 
> Comments welcome.

This applies to FormAuthenticator only? The API isn't generic enough. Don't
assume the username to be a string only.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #5 from Michael Osipov <19...@gmx.net> ---
(In reply to Christopher Schultz from comment #4)
> (In reply to Michael Osipov from comment #3)
> > (In reply to Christopher Schultz from comment #2)
> > > Created attachment 35824 [details]
> > > Draft patch to give an idea of the proposal
> > > 
> > > See this draft patch for something that might work. At least, it will meet
> > > *my* needs. There is no provision for registering these listeners. It's just
> > > an example of how this kind of thing could work with FormAuthenticator as
> > > the guinea pig class.
> > > 
> > > Comments welcome.
> > 
> > This applies to FormAuthenticator only? The API isn't generic enough. Don't
> > assume the username to be a string only.
> 
> This was a proof of concept, to get feedback. Can you suggest a username
> that cannot be represented as a string?

GSSName or X509Certificate and like. I always prefer passing Object and the
implementation decides about the cast.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #12 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Christopher Schultz from comment #9)
> Justification for Realm over Authenticator:

Justification for not using Realm:

1. No access to HttpServletRequest (for e.g. IP logging)

:(

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59750] Amend "authenticate" method with context by means of HttpServletRequest

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

--- Comment #4 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Michael Osipov from comment #3)
> (In reply to Christopher Schultz from comment #2)
> > Created attachment 35824 [details]
> > Draft patch to give an idea of the proposal
> > 
> > See this draft patch for something that might work. At least, it will meet
> > *my* needs. There is no provision for registering these listeners. It's just
> > an example of how this kind of thing could work with FormAuthenticator as
> > the guinea pig class.
> > 
> > Comments welcome.
> 
> This applies to FormAuthenticator only? The API isn't generic enough. Don't
> assume the username to be a string only.

This was a proof of concept, to get feedback. Can you suggest a username that
cannot be represented as a string?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org