[Catalina] Re: Authentication questions

[Remy Maucherat <re...@exoffice.com>]

> I've been looking over the current implementation of authentication in
catalina
> and I have some questions.
>
> 1. The current code for BASIC authentication doesn't seem to set the
>    response's auth type. Shouldn't it be set anytime the authentication
>    returns true?

The challenge (401 + WWW-Authenticate) is issued only if the client does not
provide an Authorization header (and tries to access a resource on which a
security constraint is defined), or if he uses an unsupported authentication
scheme. AFAIK, if the user is authenticated, no header has to be set, and
the client gets an answer with a status != 401 (so he knows the
authentication succeeded). If I missed something, could you refer me to the
correct section in the HTTP RFC ?

> 2. Given a deployment with a login-config and an auth-method. Who is in
>    charge of validating that the correct authentication is done? Is it the
>    container who should look at the auth-method and decide what to do? If
>    so what happens if someone doesn't supply a valve for an auth-method?
How
>    does the container know what auth-method goes with what valve?

A security valve (like HttpBasicValve) is associated with a context. The
authentication is done by the associated realm. Right now, we use the
MemoryRealm, which is initialized by the conf/tomcat-users.xml file. Your
servlet or any containers contained in the Context don't have to know
anything about the authentication method used. Does this answer your
question ?

Remy