Thank you, David.
After having a glance at JSR-196 Specification, the intuitive of design
decision is to implement the built in auth methods (BASIC, DIGEST, FORM,
CLIENT_CERT) of Tomcat Valve with ServerAuthModule. And I agreed the
difficulty of implementing the auth function into filter you mentioned in
previous mail, so I decided to implementing so independent structure
consistent with JSR-196. As this specification specified, the API is
something like this:
1. AuthConfigFactory factory = AuthConfigFactory.getFactory();
2. AuthConfigProvider provider =
factory.getConfigProvider(layer,appID,listener);
3. ServerAuthConfig config =
provider.getServerAuthConfig(layer,appID,cbh)
4. String authContextID = config.getAuthContextID(messageInfo);
5. ServerAuthContext context =
config.getAuthContext(authContextID,subject,properties);
6. context.secureResponse(messageInfo,subject);
And the functionality of formal Tomcat valve will be refactored into
ServerAuthModule which will be encapsulated by ServerAuthContext.
I'll check where caching could be used for the efficiency.
And I think it is import to go with the specification since it will allow
other developer to contribute their own code, and our code could also be
used by others.
ps: I greatly agree with the structure you give in previous mail:
check user data constraints
Status status = validate request
if (status == success) {
check web resource constraints
process request
secure response
}
2009/4/5 David Jencks <david_jen...@yahoo.com>
>
> On Apr 4, 2009, at 3:01 PM, Xie Xiaodong wrote:
>
> Hello, Dear All,
>> First, thank you very much for you valuable comments, Mark.
>> I've revised my project plan based on the comments of Mark, since I could
>> not edit my proposal any longer, I wrote the revised version of project
>> plan
>> in a comment of my proposal, you can find it for certain by searching the
>> "Show Student Proposal" page with "xiaodong xie wrote". Sorry for this
>> inconvenience.
>> I am now getting myself familiar with the Servlet Container Profile of
>> JSR-196 in order to move the Authentication funcationality of valve into
>> some independent structure consistence with JSR-196. This part will be
>> added
>> into my project proposal in some comment later.
>> Any more comments, feedback and criticism to my proposal are welcomed.
>>
>
> While it is possible to implement the built in auth methods (BASIC, DIGEST,
> FORM, CLIENT_CERT) as jaspi auth modules it's not as efficient as having a
> more tomcat-specific auth method. The important part is really having a
> validate request method called before the web resource constraint check and
> a secure response method called after the request has been processed. There
> are a lot of opportunities for improved caching if you don't follow the
> jaspi model exactly, mostly by letting the authenticator return the user
> identity rather than passing in a brand new Subject instance for each
> request.
>
> I recommend that the valve or filter look something like this:
>
> check user data constraints
> Status status = validate request
> if (status == success) {
> check web resource constraints
> process request
> secure response
> }
> //otherwise the validate request call will have set up an appropriate
> response to continue the authentication message exchange
>
> "validate request" and "secure response" are delegated to some kind of
> authenticator similar to but more efficient than a jaspi auth context
>
> constraint checking can either be (abstract) methods on the (base) valve or
> delegated to some other object. The point here is to easily support both
> constraint based checking (as done in tomcat today) and jacc based
> permission checking (as done in geronimo and presumably other javaee
> integrations such as jboss)
>
> thanks
> david jencks
>
>
>>
>> --
>> Sincerely yours and Best Regards,
>> Xie Xiaodong
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>
--
Sincerely yours and Best Regards,
Xie Xiaodong
