Hi Filip,
Filip Hanik wrote:
>
> Hi,
> I'm currently part of a project that is writing an open source
> Tomcat book, http://sourceforge.net/projects/tomcatbook.
>
> I have written a document that explains the Tomcat interceptor
> design and how to build your own interceptors. I would be happy to
> receive feedback on this document from the actual developers,
> feel free to use it as a how-to, it will be licensed by the GPL
> Free Documentation license.
> http://www.gnu.org/copyleft/fdl.html
>
> Feel free to send me feedback.
> thanks in advance.
Having just spent a while digging into Tomcat workings to try to
understand how to write a realm this would have been a really useful
primer. It's a great start. I would like to see more detail on.
Contexts. What is their role in Interceptors. For example, it seems
that an Interceptor is a singleton but the contextInit() is called for
each Context found in server.xml.
The authenticate() and authorize() mechanisms need more details. For
example, with Tomcat 3.2.? the authorize() mechanism must call
req.getRemoteUser() to trigger the authenticate() method.
authorize() is called by the contextManager which is more relevant than
the isUserInRole() call as the context manager is tomcat core.
isUserInRole() is only called if the application calls it.
HttpServletRequest.isUserInRole() rather than getUserInRole(). Perhaps
you should cover the concept of realms as these are something that
people have to deal with. You briefly mention the JDBC realm, the
implication being that this is always used.
Also for realms _every_ request is authenticated.
Some coverage of any synchronisation issues would be useful.
Presumably, it is possible to get concurrent requests to an interceptor
so synchronisation is necessary.
Keep going! Tomcat is sorely lacking good documentation.
Rgds
--
Antony Bowesman
Teamware Group
[EMAIL PROTECTED]
tel: +358 9 5128 2562
fax: +358 9 5128 2705
