Just FYI, I don't think this is a good idea for general
tomcat authentication.
One reason is that "credentials" are not allways a simple string - you can
have complex authentication schemes where you require certain schemes
based on the IP address, etc.
GetUserRoles might not work for paranoid realms - if I remember corectly
some allow you to check if a user has a certain role, but not to find all
the roles that a user has. For example Apache ( if you treat the native
apache auth modules as a realm - quite usefull for integration with
apache).
But of course, it's a matter of taste - and this interface can be a good
abstraction for a class of realms. The current model ( with hooks having
access to all request info ) is IMHO much better for the general case.
Costin
On Tue, 5 Jun 2001, Michael Jennings wrote:
> Using the delegation model I outlined earlier where I wrote a RealmHandler
> that delegates authentication to a RealmProvider-implementing class
>
> public interface RealmProvider
> {
> public boolean authenticate(String username, String credentials) throws
> Exception;
> public String[] getUserRoles(String username) throws Exception;
> public boolean initialize(String setupstring) throws Exception;
> public void shutdown() throws Exception;
> }
>
> I was able to write a JDBCRealmProvider (borrowing liberally from JDBCRealm)
> as well as a SampleRealmProvider (which merely authenticated users if there
> username==password)
>
> What I was thinking, is that I (or someone else) could write a
> JAASRealmProvider
> that implements the above interface and knows how to talk to the JAAS stuff.
>
> This way we don't force users to use JAAS (even though they should) and if
> they
> have legacy authentication requirements they can easily write their own
> RealmProvider.
>
> That's what I think anyway.
> -Mike Jennings
>
>
> ----- Original Message -----
> From: "Andy Armstrong" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, June 05, 2001 3:31 PM
> Subject: Re: realms and authentication
>
>
> > Antony Bowesman wrote:
> > >
> > > Andy Armstrong wrote:
> > > >
> > > > Michael Jennings wrote:
> > > > >
> > > > > Thanks for the feedback!
> > > > >
> > > > > Does tomcat 3.2.2 currently support JAAS?
> > > >
> > > > Not in any explicit sense I think (anyone?),
> > >
> > > JAAS is not explicitly supported by tomcat. JAAS was only available
> > > from JDK 1.3, supplied as an extension. JAAS is now merged into JDK1.4
> > > but there is no explicit support for JAAS in the servlet API spec 2.3
> > > although JAAS is graudually gaining momentum. There has to be some
> > > reworking to the servlet spec (as well as EJB) to support the concept of
> > > multiple Principals and the JAAS Subject.
> >
> > I've just been having a look at this. As you say it would be easy enough
> > to implement a JAAS realm -- the main problem being how to provide
> > access to the JAAS Subject. The cleanest route would seem to be just to
> > expose the Subject directly by adding
> >
> > Subject getUserSubject()
> >
> > to HttpServletRequest() leaving the question of how to change the
> > handling of Principals to reflect the fact that there can be more than
> > one under JAAS.
> >
> > A quick google reveals that the question of JAAS/Tomcat integration, but
> > I couldn't bottom out what the consensus was last time -- the threads I
> > found just seemed to fizzle out...
> >
> > --
> > Andy Armstrong, Tagish
>
