Re: Access to source IP address during authentication and authorization

Tue, 08 Aug 2017 06:01:39 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 8/8/17 8:49 AM, Mark Thomas wrote:
> On 08/08/17 13:44, Christopher Schultz wrote:
> 
> <snip/>
> 
>> I have no problem with Tomcat having access to the IP address. I
>> just want Tomcat to make that IP address available to the
>> authenticator component in some way.
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
> 
> Implementing that in a way that is truly backwards compatible
> requires a little thought.

I agree that backward-compatibility is a significant issue, since the
Realm interface hasn't changed since ... well, ever.

How about cheating and using a ThreadLocal?

try {
  tl.set(theRequest)
  authenticator.authenticate(username,password);
} finally {
  tl.set(null);
}

??

For SecurityFilter, we added a sub-interface that adds more methods,
like this:

authenticate(String username, String password);
authenticate(String username, String password, HttpServletRequest req);

Then, the driver does this:

if(realm instanceof ExtendedRealm)
  ((ExtendedRealm)realm).authenticate(username, password, theRequest);
else
  realm.authenticate(username, password);

If using the HttpServletRequest itself is architecturally distasteful,
we could use some other kind of data object, or simply
java.lang.Object (which is a little distasteful itself).

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmJthYACgkQHPApP6U8
pFhwTw//ZjwS5MtDL7F18OWFrmtxvfyCDbnOiOgwyJxoCCn//xWjQC7sCmb8OZZd
PFnbbzRcU55Ws1+oDz+rZGoXTz8bOOaE0WXQ9r477ETryzjlTNarVgselgQUM24X
zl0cSAMJo4U/fabTrSupSOk1H6OJUwNRI0N4FNYsjpk+mXlScGcZsjycvB6CH5Bp
8ht3J222Q9hdBNatcpLzicfRW5t+smckA+1wxFWBye1gxnG9aaNakcXa/V7nQtoq
nZO636HIvK16LWoudBXUOfHqGTCBYTijfzD37v8LrIsYj6+yJ/ZetkF45tS4nWcF
Gl1vzQQCwY92xd9q6i6UBlnngI898Pp+vuld+mHHwM1nP2dvskO5A4VdYZ+dS4dp
QmMWYKhR4cr2TjOpDKy9hxzuRxeENt1Bnr3Jk2Qiy4o8e0a/e7ksB3JfXS99JfLt
uCprKNMkRG3Uc1+5vZXOQ1kk7Fz1Bryp7xrxgZjXdpHZ1R7GFIgPi6ohbA+GT4NV
dCgYWOPdh1TIcAgOP6dVgHc1H58BX2IjPl8AiKOKLZPKLv+3eWeA5XBz0D1LM0bm
CZ+EwFXCfIr5cFqabvbE99DdojhpT6NPmDjTmJznAV7f8AWHLnyr7eYMQY+pkHdF
GX3oOwzBlw46CVtMnkgu0OrLPnM/X8447RgMs1bJFJ1dpYO0rr8=
=d9LJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to