Costin Manolache wrote:
Hi,What about authorization :-) Righ now, the Realm implementation includes the 3 authorization methods:
I'm close to get JAAS realm and the memory LoginModule working - if I remember correctly we agreed to make JAAS the default for 5.0 ( I don't remember any objections ).
- hasRole - hasUserDataPermission - hasResourcePermission
Those methods are currently implemented in RealmBase. Are you moving them also?
If yes, then the autorization stuff I'm working on (based on our previous discussion) will have to move there (I'm slowly slowly coming with an implementation ;-) ).
+1 We will have to document this new feature. I see lot of question on tomcat-user.....
I never tried it in 4.x - but from the code and code I strongly doubt it works.
There is one change I would like to make.
As you know, JAAS login modules return a Subject and a set of Principals.
There is no clear way to decide which Principals are Roles - so we currently require the user to configure the realm with the list of classes that are role principals.
In addition to that, I would like to support a different pattern - used
in JBoss - which seems much cleaner and logical.
If a Principal of type "java.security.acl.Group" is found - named "Roles" - we'll treat all the Principlas in that Group as roles. ( the old mechanism should still be supported, of course )
+1
The other problem: I think we should move the catalina-indepedent JAAS
code in a separate module, for example j-t-c/jaas. That would include SimplePrincipal, MemoryLoginModule - and eventually JNDI/JDBC/etc
LoginModules if anyone has the time to make the conversion. It's not a big
priority, but it'll clean up the code deps and maybe the code could be
reused.
+1
Opinions ? Votes ?
-- Jeanfrancois
Costin
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
