You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Remy Maucherat <re...@apache.org> on 2005/03/30 18:12:35 UTC
Some changes
I will propose making some changes:
- Add Jan's patch to have an ISE thrown for Session.getId if the session
is expired. However, it is important for container internal components
to be able to call getId, even if the session is invalidated. As a
result, I propose adding a Session.getIdInternal method (or propose
another name) which would do the same as the old getId
- I reported some mess with the JAAS realm some time earlier, which has
to maintain a map of principals, which is messy and makes code more
complex (as well as needlessly leaking memory). We do have the exact
same issue in JBoss, as we use JAAS as well. Scott Stark proposed
storing the user principal to be returned by Request.getUserPrincipal
inside the GenericPrincipal itself, while the regular GenericPrincipal
would be used for calls to hasRole (removing the need for the JAAS realm
to override the method).
This would mean adding a new constructor to GenericPrincipal:
/**
* Construct a new Principal, associated with the specified Realm,
for the
* specified username and password, with the specified role names
* (as Strings).
*
* @param realm The Realm that owns this principal
* @param name The username of the user represented by this Principal
* @param password Credentials used to authenticate this user
* @param roles List of roles (must be Strings) possessed by this user
* @param userPrincipal - the principal to be returned from the
request getUserPrincipal call if not null.
*/
public GenericPrincipal(Realm realm, String name, String password,
List roles, Principal userPrincipal)
That's all the proposals I have for now.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: Some changes
Posted by Remy Maucherat <re...@apache.org>.
Remy Maucherat wrote:
> I will propose making some changes:
>
> - Add Jan's patch to have an ISE thrown for Session.getId if the session
> is expired. However, it is important for container internal components
> to be able to call getId, even if the session is invalidated. As a
> result, I propose adding a Session.getIdInternal method (or propose
> another name) which would do the same as the old getId
>
> - I reported some mess with the JAAS realm some time earlier, which has
> to maintain a map of principals, which is messy and makes code more
> complex (as well as needlessly leaking memory). We do have the exact
> same issue in JBoss, as we use JAAS as well. Scott Stark proposed
> storing the user principal to be returned by Request.getUserPrincipal
> inside the GenericPrincipal itself, while the regular GenericPrincipal
> would be used for calls to hasRole (removing the need for the JAAS realm
> to override the method).
> This would mean adding a new constructor to GenericPrincipal:
> /**
> * Construct a new Principal, associated with the specified Realm,
> for the
> * specified username and password, with the specified role names
> * (as Strings).
> *
> * @param realm The Realm that owns this principal
> * @param name The username of the user represented by this Principal
> * @param password Credentials used to authenticate this user
> * @param roles List of roles (must be Strings) possessed by this user
> * @param userPrincipal - the principal to be returned from the
> request getUserPrincipal call if not null.
> */
> public GenericPrincipal(Realm realm, String name, String password,
> List roles, Principal userPrincipal)
>
> That's all the proposals I have for now.
Ok, so nobody cares ;) I'll commit the changes then.
Another thing:
The purpose of DataSourceRealm.authenticate overriding seems to be to
use only one "connection" for the full authentication process. This
seems to me like a rather pointless optimization, and straight
delegation to the RealmBase should be used instead.
I added this myself as part of an omnibus patch which was submitted to
fix a very serious problem (I was anxious to commit it ...), so I'm
partially vetoing myself here :)
The change would be to remove the two DataSourceRealm.authenticate methods.
Comments ?
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org