You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by David Cittadini <Da...@blackmarble.com> on 2001/03/23 03:41:16 UTC

Realm design

I have a few questions about the Realm design:

a)                   How does a Realm find details of the Login Config for
the Context currently being authenticated?  When developing a Realm it may
be very useful to determine the authentication method used.  However, at the
moment the Realm is just told to authenticate.  The Realm may also be
attached to the "global" level and therefore have no idea which Context the
authentication request came from.   Seems to me that it would be useful for
the Realm to be able to determine the Login Config so that it can adjust any
authentication processes as required.
b)                   Why aren't CLIENT-CERT authentications passed onto the
registered Realm?  At the moment, Realms only see to be passed to process
BASIC authentication requests.  At the moment certificate requests are
processed by the automatically injected CertificateValve.  Why can't Realms
process CLIENT-CERT requests?

Thanks, David.

Re: Realm design

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Fri, 23 Mar 2001, David Cittadini wrote:

> I have a few questions about the Realm design:
> 
> a)                   How does a Realm find details of the Login Config for
> the Context currently being authenticated?  When developing a Realm it may
> be very useful to determine the authentication method used.  However, at the
> moment the Realm is just told to authenticate.  The Realm may also be
> attached to the "global" level and therefore have no idea which Context the
> authentication request came from.   Seems to me that it would be useful for
> the Realm to be able to determine the Login Config so that it can adjust any
> authentication processes as required.

It would be feasible to pass the login configuration being used as a
request attribute or something, but I'm struggling to see a use case for
this.  Could you describe how a Realm might want to behave differently?

> b)                   Why aren't CLIENT-CERT authentications passed onto the
> registered Realm?  At the moment, Realms only see to be passed to process
> BASIC authentication requests.  At the moment certificate requests are
> processed by the automatically injected CertificateValve.  Why can't Realms
> process CLIENT-CERT requests?
> 

CertificateValve only exposes the client certificate chain that exists (if
there is one).  It does no authentication.  In order for any Realm to get
called, you have to submit a request to a URL that is protected by an
appropriate security constraint -- and this works for all four kinds of
login configurations.

Currently, For authentication, SSLAuthenticator just checks for a valid
certificate chain.  The Realm will be consulted, though, to check out role
assignments (either for comparing to a security constraint, or because
your app calls HttpServletRequest.isUserInRole()).

> Thanks, David.
> 

Craig McClanahan