Hi Nacho,
Sorry about this - I'll fix it back if it broke something. I was not sure
about the way Digest worked, and I wanted to find a way to use it in all
realms.
> > - public int authorize( Request req, Response response,
> > String roles[] )
> > - if( this.equals(req.getNote(reqRealmSignNote)) ){
> > - return 0;
> > - }
>
> IMHO we cannot lost this last check, as is the way multiple Overlapping
> Realms can be used , we need to distinguish between the realm that
> actually authenticate a user, to let it do the authorization..., this
> was the idea behind the realmSignNote, how can we that now?.
I was thinking that the realm that does authenticate will set the user
roles ( i.e. check user/password, if correct extract the roles for the
user and set them in the request ).
When AccessInterceptor does the authorize(), it doesn't matter which realm
found the roles - all it matters is that a realm ( that is
configured in the server of context setup ) found the request to be
authenticated and the user to have certain roles.
We can certainly add back the check and move back authorize() to Realms,
but I would be happier if we find a way to avoid repeating it in all
realms.
> > + // XXX XXX XXX Nacho, I think Digest should be part of
> > the Credential
> > + // module, so it's used by all Realms.
> > +
> but if we do things that way, how can i configure a JDBCRealm to use
> digested passwords and others dont?? we will need to use a private
> CredentialsInterceptor for the context that needs Digested passwords ?
To be honest, I don't know too much about Digest authentication - you
spent more time on this issue anyway.
My understanding is that the browser will send a "Authentication: Digest",
and CredentialInterceptor can save this response in the request, as
"password" ( or pasword-signed-secret, in this case ). This way the code
can be shared by all Realms.
I'm not very sure about this subject - and if you feel we should roll back
the changes I can do it.
In any case, the configuration for digest authentication should be in
web.xml or in the context configuration, not in the realm ( IMHO )
Costin
