Re: POST replication

João Nuno Silva Wed, 18 Nov 2009 14:44:27 -0800

Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


João,

On 11/18/2009 2:13 PM, João Nuno Silva wrote:

Caldarale, Charles R wrote:

I'm curious as to why you're reinventing this particular wheel.  Why
not let Tomcat's built-in authentication handling do the hard work for
you, and you just supply either a custom Realm or a JAAS-compliant
login module to do the actual user validation?  That would seem to be
a lot easier and a lot less dependent on the internals of the
particular Tomcat version you happen to be using.

I'm doing this as an hobby, not at work! With this in mind, my reasons are:
1) I want to have an authentication module that's independent of the
servlet container used (because I think this behavior of request replay
isn't a standard, but I might be wrong...);


You could look at securityfilter, which was built for just such a
purpose. There's also ACEGI or "Spring Security" which is also
independent of the container.

I'll try Spring Security, they don't specifically mention request replaybut I guess it "must" support it. Thank you!

2) I believe I can better optimize session creation to reduce memory
usage (because I won't save the previous request in session). I think
this way I can be more tolerable to DoS attacks from unauthenticated users;


Empty sessions are pretty light. I would guess that your additional
credential management overhead will end up being roughly equivalent to
what Tomcat experiences using sessions to store its information.

3) I'm learning a few things in the process of reinventing this wheel ;)


Well, there's no reason to stop you, then :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksETrQACgkQ9CaO5/Lv0PABXQCfa+KNphg/3/1ojU2JXIFC3y0h
SxgAnibdF4O9EBgZk++WRKsr7zdEXWpd
=JUW5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: POST replication

Reply via email to