Hi.
I have notv really followed this thread from the beginning, but maybe I can contribute
something here..
On 07.09.2015 15:56, Sreyan Chakravarty wrote:
..
Also can I webapp have different realms ? If so how do you distinguish them
? I was looking at the RealmBase source and I haven't noticed a place for
realmName. If not then what is the use of the <realmName> element in
web.xml ?
One webapp can only have one realm, but several webapps (or let's say more generically
several areas in "URL space" on the server) can share the same realm.
The "realm" is something that the server sends back to the browser in the "401
Authorization required response". It is just a "label", which in terms of AAA, identifies
a certain collection of resources on the server, covered by the same
authentication/authorization requirements.
In the server configuration, you can choose yourself which resources are covered by the
same realm (label).
It is easier to explain this by example, in the general context of the HTTP
protocol.
The basic way in which AAA works in a webserver is this :
1) the client/browser sends a request to the server, with a specific URL, which resolves
on the server to some resource
2) the server evaluates the request, and resolves the resource to which it applies (e.g. a
static html page, a servlet, ..). The server then checks in its configuration, if this
resource is protected. If not, it returns the requested resouerces to the client, and
that's it.
3) if the request is protected, the server checks if the request contains some form of
authentication. If yes, the server checks if this authentication is valid, and applicable
to this resource. If yes, the server returns the requested resource, and that's it.
If not, the server returns a "forbidden" response.
4) If the request did not contain an authentication, the server returns a response to the
client : "401 Authorization required", along with a realm (the "label" applicable to this
resource, as per the server configuration), *and* the required authentication method (e.g.
"Basic" or "Digest").
5) the client sees this response, and interacts with the user to obtain the required
user-id/password. Once obtained, the client/browser repeats the same request to the
server, but this time with some additional HTTP header(s) containing the requested
authentication. At the same time, the client/browser "remembers" this authentication, and
remembers to which "realm" it applies.
Then go back to (1) above.
If the client/browser (within the same browser session), later accesses the same or
another resource, and it receives from the server another 401 "auth required" response
with a realm in it, and the browser knows that *for this same realm* it already had a
remembered authentication, then it can send the same one again to the server, without
needing to ask the user again to fill-in a login dialog.
This is a pure HTTP-level mechanism, which works independently of any "session" that one
may have on the server (as long as the authentication method is "Basic" or "Digest").
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
