On Jul 16, 2009, at 5:16 PM, Mark Thomas wrote:
As a result of looking into
https://issues.apache.org/bugzilla/show_bug.cgi?id=40881, I discovered
that the only use made of the Realm attribute of GenericPrincipal is
to
control whether or not a debug message is logged in
RealmBase.hasRole()
Given that the Realm is the reason that GenericPrincipal is not
Serializable, I'd like to propose the following changes for Tomcat 7.
1. Remove the Realm from GenericPrincipal
2. Make GenericPrincipal Serializable
3. Take advantage of this to simplify the Cluster code
As a by product, this should also address bug 40881 by allowing any
Realm that uses any Serializable Principal to work with clustering.
Thoughts?
I'm not sure exactly how the GenericPrincipal fits into tomcat
security, but you might want to consider that jaspic requires that
whatever Principal is set up by the authentication context (and
communicated to the server through the somewhat bizarre mechanism of a
callback handler) must be the principal returned from
getUserPrincipal. My conclusion from this is that a reasonable
architecture involves some kind of UserIdentity object that contains
the identity info including the principal but that trying to enforce
usage of a particular principal class is not a good idea. cf the
jaspic integration I mentioned the other day.
thanks
david jencks
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
