Tomcat 3.x uses Interceptors and thus the SecurityCheck.
Tomcat 4.x uses Generalized Security handling code with pluggable Realm
classes ( realms are access points into user authentication, authorization
information ). Realms are pluggable under the conf/server.xml file.
There is a SimpleRealm class, and a JDBCRealm class. Maybe someone should
volunteer a JAASRealm and LDAPRealm for normal users to use...
fern
On Sun, 25 Feb 2001, Falcon cheetah wrote:
>
> Well, I extend SimpleRealm because I did not see securityCheck anywhere in the
>tomcat tree, and I assumed it was modified. And it works for me :)
>
> What is JAAS? And I am not sure if writing and intercepter qualifies as a project.
>
> I guess what we need to do is to get the wrox code to work for us and then modify it
>to do more general auth with ldap. I saw that there is a huge amount of bad coding in
>that wrox class and I am waiting to see it working so I would do a whole rewrite.
>
> I guess if you want us to launch a project for this we have to start putting the
>word on the tomcat-dev, rather than tomcat-users, someone would give us the heads on
>there.
>
>
>
> Regards.
>
> Ahmed.
>
>
> Martin Smith <[EMAIL PROTECTED]> wrote:
> OK, I've read over ldapAuthCheck.java (by Mark Wilcox, apparently.) I
> pretty well understand everything there, except I have a blank spot in
> knowledge of the Tomcat architecture. Which means I don't understand
> why you had to extend simpleRealm instead of securityCheck.
>
> Obviously, neither this class nor Tomcat implements JAAS. I'm assuming
> that's because they were built before JAAS was defined. They're also
> much simpler than the total pluggable-authentication-module framework
> implemented by JAAS. That's cool, since I don't need all that stuff
> anyhow. It's nice that the user name and password are just passed as
> strings in the call to checkPassword(), for example.
>
> So--What needs doing? I've never worked on a project so I don't know the
> rules.
>
> (The only thing I know I'd like to change is to add flexibility to use
> the "mail" attribute as the userID instead of the "UID" attribute.)
>
> Martin
>
>
> Falcon cheetah wrote:
>
> > Martin,
> >
> > There is a good material about LDAP with Tomcat from Wrox's
> > Professional JSP. There are two chapters that talk about this, and on
> > chapter 15 they write a tomcat interceptor to do this task. I am
> > currently trying to squeez sometime to test that. If you want to
> > download the source code from their site and take a look at it.
> >
> > I know they have few issues with their interceptor. For example I had
> > to make the class extend SimpleRealm instead of CheckSecurity.
> >
> > If you want to play with it and we can cooporate on expanding this
> > code or put it in a seperate project if you want. If not I am glad to
> > point out this great book to you and everyone else.
> >
> >
> >
> > Ahmed.
> >
> > Martin Smith wrote:
> >
> > I have been patiently lurking and waiting to see some news
> > on the
> > existence of a way to do Servlet container (ie Tomcat)
> > authentication
> > against an LDAP source of security info.
> >
> > I even posted an RFP at one of these freelancer sites
> > (ants.com) to have
> > one built. No credible responses.
> >
> > Limited though I am at programming java (or anything), I'm
> > considering
> > trying to build one myself. But I thought I'd ask one last
> > time: is
> > there a JNDI or LDAP Interceptor in the works anywhere?
> >
> > If not, any advice on the scope of the project? Do I just
> > get the
> > JDBCRealm source and analogize? (Sure hope we don't need
> > threads! And
> > callbacks sound hard, too.)
> >
> > TIA,
> >
> > martin
> >
> >
> >
> > -
> > -------------------------------------------------------------------
> >
> > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, email:
> > [EMAIL PROTECTED]
> >
> >
> > -----------------------------------------------------------------------
> > Do You Yahoo!?
> > Yahoo! Auctions - Buy the things you want at great prices!
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
>
>
> ---------------------------------
> Do You Yahoo!?
> Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
