Hi Carlo!
Thank you for being help me J
My question is about invoke method in AuthenticatorBase.java. If you look at
invoke code you can see that:
- the method first action is check if there is any Principal in the
Request
- if there isn’t a Principal it tests if there is a Principal in the
internal session(Session)
- if there is a Principal(in Session) it puts the Principal and the
authentication method in the Request
- and the method(invoke) follows, and it tries to authenticate Request
HttpRequest hrequest = (HttpRequest) request;
HttpResponse hresponse = (HttpResponse) response;
// Have we got a cached authenticated Principal to record?
if (cache) {
Principal principal =
((HttpServletRequest) request.getRequest()).getUserPrincipal();
if (principal == null) {
Session session = getSession(hrequest);
if (session != null) {
principal = session.getPrincipal();
if (principal != null) {
if (log.isDebugEnabled())
log.debug("We have cached auth type " +
session.getAuthType() +
" for principal " +
session.getPrincipal());
hrequest.setAuthType(session.getAuthType());
hrequest.setUserPrincipal(principal);
}
}
}
}
If we look know to authenticate method in FormAuthenticator.java class:
- the first think it does is check is there is a Principal in the
Request
- if there is a Principal, it returns true
// Have we already authenticated someone?
Principal principal = hreq.getUserPrincipal();
String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
if (principal != null) {
if (log.isDebugEnabled())
log.debug("Already authenticated '" +
principal.getName() + "'");
// Associate the session with any existing SSO session
if (ssoId != null)
associate(ssoId, getSession(request, true));
return (true);
}
My question is: why we are putting the Principal in the Request? Why we can’t
just authenticate the user if there is a principal in internal Session?!
Doesn’t make sense, put the Principal in the Request, and after in the
authentication method we just test if there is a Principal in the Request and
return true.
In others words, what kind of security this process provides?!
Was I cleat enough?
Thanks for everything,
Regards from Braga, Portugal
Bárbara Vieira
From: Carlo Politi [mailto:[EMAIL PROTECTED]
Sent: terça-feira, 27 de Novembro de 2007 23:49
To: [EMAIL PROTECTED]
Subject: Re: Tomcat's container architecture - Authenticator
Hi Bárbara, i can help you because I'm doing a new authenticator as work of my
thesis. I have analyzed BasicAuthenticator and modified it; could you tell me
the right point of your problem?
----- Messaggio originale -----
Da: Bárbara Vieira <[EMAIL PROTECTED]>
A: users@tomcat.apache.org
Inviato: Mercoledì 28 novembre 2007, 0:23:49
Oggetto: Tomcat's container architecture - Authenticator
Hi there!
This question is about Authenticator package. I appreciate if anyone can
help me.
I’m implementing a Valve and a Realm to provides authentication and
authorization using two authentications methods at the same time : FORM and
CERT-CLIENT. Obviously, I’m looking to authenticator package code, more
precisely to AuthenticatorBase.class and FormAuthenticator.class, and
analyzing that. In this analyze has emerged some questions about what the
author are doing in invoke method in AuthenticatiorBase class. In other
words, what I would like to know is, why the author are putting the
Principal on the request, and the next step is authenticate the request?!
I don’t understand the reason why we have to pass the request to
authenticate method in FormAuthenticator class, because that method isn’t
doing anything if the request has a principal. This doesn’t make any sense,
because first we put the principal on the request and next, in the
authenticate method, we just test if the request has a principal. Why we
have to put the principal on the request?! Why we cannot just authenticate
the user if the request has a principal, or if the principal is in internal
session?!
I’m a little bit confused about that J
Thanks for everything,
Regards from Braga, Portugal,
Bárbara Vieira
_____
<http://us.rd.yahoo.com/mail_it/taglines/*http:/it.messenger.yahoo.com> Yahoo!
Messenger with Voice: chiama da PC a telefono a tariffe esclusive
