Hi Chris!!
>A request may be checked multiple times for authentication (think >server-side forwards, etc.) so it's a small optimization to cache the >principal in the request -- and it satisfies the requirement that >request.getUserPrincipal() actually works, so it makes sense. This is not a answer to my question. If you look at the sequence that Request object does in the invoke method in AuthenticatorBase, and authenticate method in the FormAuthenticator, you'll see that my question isn't that. I know that caching data is a optimization. But if we have the Principal in cache, why we have to call the authenticator method(FormAuthenticator)? That call doesn't provide any additional security, can you understand now? -----Original Message----- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 28 de Novembro de 2007 17:09 To: Tomcat Users List Cc: 'Carlo Politi' Subject: Re: Tomcat's container architecture - Authenticator -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Barbara, Bárbara Vieira wrote: > My question is: why we are putting the Principal in the Request? So that request.getUserPrincipal() will return a value. > Why we can’t just authenticate the user if there is a principal in > internal Session?! Doesn’t make sense, put the Principal in the > Request, and after in the authentication method we just test if there > is a Principal in the Request and return true. A request may be checked multiple times for authentication (think server-side forwards, etc.) so it's a small optimization to cache the principal in the request -- and it satisfies the requirement that request.getUserPrincipal() actually works, so it makes sense. > In others words, what kind of security this process provides?! There will never be a Principal object that has not been properly authenticated. Is that good enough security for you? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHTaC89CaO5/Lv0PARArZNAJ9GTktlPVu1+Q3a9CMkxbtdAB5V4QCeJJwm K6u4yM6jdG/l+IA/p/WT0TI= =lF0e -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]