Tomcat's container architecture - Authenticator

[Bárbara Vieira <ba...@di.uminho.pt>]

 

Hi there!

This question is about Authenticator package. I appreciate if anyone can
help me. 

 

I’m implementing a Valve and a Realm to provides authentication and
authorization using two authentications methods at the same time : FORM and
CERT-CLIENT. Obviously, I’m looking to authenticator package code, more
precisely to AuthenticatorBase.class and FormAuthenticator.class, and
analyzing that. In this analyze has emerged some questions about what the
author are doing in invoke method in AuthenticatiorBase class.  In other
words, what I would like to know is, why the author are putting the
Principal on the request, and the next step is authenticate the request?!
I don’t understand the reason why we have to pass the request to
authenticate method in FormAuthenticator class, because that method isn’t
doing anything if the request has a principal. This doesn’t make any sense,
because first we put the principal on the request and next, in the
authenticate method, we just test if the request has a principal. Why we
have to put the principal on the request?! Why we cannot just authenticate
the user if the request has a principal, or if the principal is in internal
session?! 

I’m a little bit confused about that J

 

Thanks for everything,

Regards from Braga, Portugal,

Bárbara Vieira