JNDIRealm and virtual hosting

[brian moseley <bc...@maz.org>]

i'm writing an application that uses JNDIRealm for
authentication. works great, but having to configure
connection information server.xml is a bit limiting. so i'm
trying to figure out the right way to support virtual
hosting for JNDIRealm (and possibly by extension for all
realms and authenticators).

the goal: a single host, realm and context are configured in
server.xml.user a visits the application at
http://www.domain1.com, which connects to ldap.domain1.com
for dn cn=a,dc=domain1,dc=com with one set of connection
info and role base. user b visits the same application at
http://www.domain2.net, which connects to ldap.domain2.net
for dn cn=b,dc=domain2,cd=net with a different set of
connection info and role base.

seems like JNDIRealm would have to be modified in these
ways:

1) don't open connection in start() or close it in stop()
2) don't maintain a single InitialDirContext for the realm,
   but rather get a new one for each connection
3) sport an interface for allowing the authenticator to pass
   in a virtual host name (extracted from
   request.getServerName()), and retrieving connection info
   for that virtual host

a "service location and configuration" mechanism that solves
#3 would probably be useful for many components. also it may
have an impact on the Realm interface. so i would like to
get some feedback before i take a knife to anything.

i thought initially about configuring a resource in
server.xml for each ldap server, but that approach doesn't
scale well. still, allowing the realm to look up connection
information using jndi seems reasonable. i'm just not sure
of the right way to publish the connection info in the first
place.

thoughts? anybody else find this to be an issue?