On 10/02/2016 14:03, Arjan Tijms wrote: > Mark Thomas-2 wrote >> As I thought about this some more, I realised that there is nothing in >> the Servlet Container profile in the JASPIC spec (that I have been able >> to find) about when AuthConfigProvider registration takes place. This >> means that AuthConfigProvider registrations and de-registrations could >> take place while the web application is running. > > It's a good point indeed. In practice it always seems to be either a > ServletContainerInitializer or a ServletContextListener, or of course via a > server proprietary method (outside the application).
Thanks for the confirmation. > I'm not entirely sure what the use case was for having this flexibility. > I'll try to see if I can get a clarification from Ron about this. I wonder > how many implementations even support registrations and de-registrations at > arbitrary moments. Generally, JASPIC appears to favour flexibility over simplicity. My first impression is that there is too much flexibility but I am only looking at it from the fairly narrow scope of a Servlet container. > Mark Thomas-2 wrote >> - have authenticate() check (i.e. on every request) for a JASPIC config >> and use it if present >> - cache what I can (for speed) and use a RegistrationListener to track >> updates > > That should indeed be the approach. > > What the RI roughly does is from its embedded Tomcat in > AuthenticatorBase#invoke it calls an adapter: Thanks but I'm not planning on reading the rest as I am concerned about licensing. <snip/> > Hope this helps. It did. Thanks. It is good to know the code is heading in the right direction. That some of the javaee7-sample unit tests now pass is alsi reassuring. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
