Casey,
you probably want to write a custom 'Realm' interceptor - look at SimpleRealm
and JDBCRealm, each of these classes have a set of
routines that 'authorize' and 'authenticate' a user request against different
authorization types (SimpleRealm is a plain xml file, JDBCRealm is a relational
database model of the same).
When a user attempts to connect to a 'protected' region of a web-application,
the ContextManager attempts to call an authenticate method in each of the
'known' requestInterceptors until it either reaches to the end of the
interceptor list with no success or gets a successful 'hit' from one of the
interceptors. Providing a custom Realm interceptor (LDAPRealm?) should enable
you to encapsulate your authorization methods safely - and still get them called
;-)
SimpleRealm is pretty straightforward but JDBCRealm is a better example of a
'real world' solution.
One question that I still have is can Tomcat support multiple realms? I can see
that each RealmInterceptor can be replaced and, in theory, you could load
multiple RealmsInterceptors, the problem, as I see it is, if the principal of
the user (i.e. the user name and the credentials (password )) is duplicated in
two
of the RealmInterceptors, then the first and only the first is returned.
There seems no way in tomcat to specify which Realm 'type' should be used to
service the authentication lookup. I noticed that you can specify a 'realm' in
the text of the web-application's xml file but there's no code to link this text
with the Realm 'type', - it actually says in the Servlet spec that there is no
connection between a security 'realm' and this 'realm' field - an unfortunate
conflict of terms.
Comments anyone [please] - How does/should tomcat support multple realm types?
Does it make sense to use the 'realm' information from the web.xml to further
specify which realm 'manager' to use?
[Proposal-ette]:
The idea might be that the realm text should hold the type of the realm (Simple
for SimpleRealm, JDBC for jdbcRealm, xxxx for xxxxRealm), and, if a realm type
can't be found, then simple defaulting back to current behavior would suffice.
Opinions?
-Thom
"Bragg, Casey" wrote:
> Hello all :
> I know this has been discussed many times, but I'm still in the dark...
>
> I'd like to have my custom authentication/authorization/other misc code
> executed during processing of each incoming request. Form Based login is
> what I need to use, but I'm unclear how to customize the auth method (i.e. I
> already have authentication methods to auth againt database/ file/ LDAP/
> Msgic 8 Ball/ etc, but I don't know how to get Tomcat to run it).
>
> I'd like to have this implementation to be as server independent as
> possible.
>
> Should I use a RequestInterceptor somehow?
>
> ...Casey
>
> ==============================================
> Casey Bragg - Software Engineer
> Allegiance Telecom, Inc. Dallas, TX
> 469-259-2702 - [EMAIL PROTECTED]
> ==============================================
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
