Forget the first comment ( i'll delete realmSignNote soon :), i think the second comment remains... intelligent? :-), i dont know. Saludos , Ignacio J. Ortega > -----Mensaje original----- > De: Nacho [mailto:[EMAIL PROTECTED]] > Enviado el: miércoles 27 de diciembre de 2000 23:23 > Para: '[EMAIL PROTECTED]' > Asunto: RE: cvs commit: > jakarta-tomcat/src/share/org/apache/tomcat/util > Base64.java > > > Hola Costin: > > Comments intermixed below. > > > - public int authorize( Request req, Response response, > > String roles[] ) > > - { > > - if( roles==null ) { > > - // request doesn't need authentication > > - return 0; > > - } > > - > > - Context ctx=req.getContext(); > > - > > - String userRoles[]=null; > > - > > - String user=req.getRemoteUser(); > > - > > - if( user==null ) > > - return 401; //HttpServletResponse.SC_UNAUTHORIZED > > - > > - if( this.equals(req.getNote(reqRealmSignNote)) ){ > > - return 0; > > - } > > IMHO we cannot lost this last check, as is the way multiple > Overlapping > Realms can be used , we need to distinguish between the realm that > actually authenticate a user, to let it do the authorization..., this > was the idea behind the realmSignNote, how can we that now?. > > > > > > + // XXX XXX XXX Nacho, I think Digest should be part of > > the Credential > > + // module, so it's used by all Realms. > > + > > > but if we do things that way, how can i configure a JDBCRealm to use > digested passwords and others dont?? we will need to use a private > CredentialsInterceptor for the context that needs Digested > passwords ? > > Saludos , > Ignacio J. Ortega >