On Mon, 12 Nov 2001, Andreas Graichen wrote:
> Date: Mon, 12 Nov 2001 12:49:00 +0100
> From: Andreas Graichen <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Session variables in TC 4.0.1 realms
>
> Hi,
>
> I'm going to develop an authentication realm (based on FORM authentication)
> for TC 4.0.1 which performs a kind of challenge/response task: Put a
> challange into a session variable on the login page (.jsp). The expected
> password would then be the encrypted challenge. Whithin my realm the
> decryption of the response and the verification against the stored session
> variable has to be performed. The problem is that the HTTP request is not
> accessible whithin TC 4.x realms. This was possible in TC 3.x. Is there any
> possibility to access a session variable in a TC 4.x custom realm? Thank
> you.
>
It sounds like you really want to write an Authenticator implementation
(perhaps based on FormAuthenticator, perhaps with some encryption
functionality from DigestAuthenticator?) rather than a Realm. The
Authenticator has complete access to the request and session environments
-- a Realm is just a place to look up usernames to see if the specified
password was valid.
Tomcat 4 separates the concepts of HOW authentication is performed
(Authenticator) and WHERE the users and passwords are looked up (Realm).
In principle, you would want your authentication mechanism to work with
ANY source of usernames and passwords. Tomcat 3.2 combined these two
concepts into one class, which made it hard to mix and match things.
> Andreas Graichen
>
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
