Remy Maucherat wrote: > I'll only be talking about HTTP authentication and the interaction with > the realms for now. > > The main problem is that some authentication schemes need the realm to > function (digest, for example). So I don't see how we can put that layer > of processing in Coyote, since we need access to the realm to perform > it. However, the code in the current authenticators will enventually be > rewritten Coyote-style (and using tomcat-util objects) so that it > actually performs well.
That's orthogonal and not the subject of this discussion ( the proposal is about authorization, not authentication ). Also the issue of using coyote hooks ( Action ) or a custom interface is orthogonal on what information is needed, in both cases the implementation of the authentication hook ( or interface ) will have access to the same information ( Request, user info, etc ). > I think a refactoring of the realms is needed in order to support any > auth scheme (most realms don't work with digest). To be able to do +1. I would add to the wish list better support for web server integration. It would be nice ( at least for jni mode ) to be able to have the native server call the hook to auth static resources - but the real important thing is allow the native server do it ( and the countless auth modules ). > We should probably standardize on storing the limited digest defined in > the RFC in the realms instead of the clear password or some kind of > unusable digest of the password. I like the move to split the storage of the info about user from Realm, as well as the split of authorization/authentication. I don't like the current abstraction for user info ( and the fact that all users need to be in memory ), and I would preffer use of a consistent hook mechanism ( coyote Action ) instead of special interfaces. Costin -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
