While looking into some problems with the tomcat integration in
geronimo around ejb web service security and the jacc integration I
realized the simplest way to fix all the problems at once was to
rewrite web security including jaspic support.
The new implementation is at
https://svn.apache.org/repos/asf/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security
and it needs a couple ContextConfig classes in the parent directory to
get installed and work.
The main idea here is to replace the Realm with a SecurityValve that
delegates authentication decisions to an authenticator and
authorization decisions to an authorizor. The authenticator is
similar in concept to the jaspic ServerAuthContext but more adapted to
servlets. The authorizor exposes the authorization decisions called
for by the jaspic spec servlet profile.
I have authenticators for the build in auth methods and also a jaspic
adapter.
So far I have only a jacc authorizer but it should be easy to adapt
the old code to write one that uses the tomcat constraint objects.
The part that doesn't fit very well is that the Realm concept is used
to implement isUserInRole. I wrote a Realm implementation that uses
JACC for this. If I were to consider a patch to tomcat for this I
would eliminate the Realm concept and have a new interface for the
isUserInRole decision.
I have not yet tried running the jaspic tck on this so don't know how
many bugs there are in the jaspic adapter. Regular security seems to
work OK. Most likely I will spend a little time on this in the next
few days.
I developed most of the ideas for the web-adapted interface and
adapter working on the jetty jaspic integation. In particular jetty
wanted to be able to run without the jaspic api jar, and since this
seemed like it might be desirable for tomcat as well, no jaspic
classes are used outside the jaspic adapter.
I think it would be great if the tomcat community integrated some
version of this code in perhaps tomcat 7 but I do not expect to be
providing any patches to tomcat for this. I'm happy to talk about the
code, but I'm more likely to see discussion on the geronimo dev list.
thanks
david jencks
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
