You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jack <ja...@hotmail.com> on 2006/01/20 10:53:49 UTC
The original Realm
"Terry Zhou" <zh...@gmail.com> wrote in message
news:daa09eb00601200137k6e9fa75cr@mail.gmail.com...
>Tomcat does have a realm in different level(Engine,Host,Webapp) for
>security.
>Check http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html
Personally, I believe that the original Realm mixed up the authentication &
authorization.
It should be seperated into Authorizer & UserRealm.
The reason why I suggest to add user package is that the source code of the
original implementation is not easy to be integrated into the source code of
web-app.
Principal is web-app dependant
HttpServletRequest.getRemoreUser() returns the name of the user of the
request. When we use certificates, the return object is not well defined
since there is no name here.
HttpServletRequest.getUserPrincipal() doesn't have a good definition,
either. It just says the principal name of the current authenticated user.
So, what is in the returned Principal object is up to the container, too.
However, the reason to have such a method is to let the web-app can access
it. And so, the returned Principal should be web-app dependent. We had
better to ask the web-app to implement the Principal if the web-app care who
the user is. In such a case, we had better leave the authentication to the
web-app (in UserContext), too.
If the web-app doesn't care at all, then we can use GenericPrincipal as the
current implementation.
jackzhp@hotmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org