On 17/06/2010 02:41, Marc Boorshtein wrote: >>> >>> The problem with the Realm system is its designed with the assumption >>> that tomcat is doing the authentication which is not a valid >>> assumption in an environment where the authentication is seperated >>> from authorization. The entire point of container security is that as >>> a coder I don't have to worry about how any of this is implemented. >> >> The problem with Tomcat is that all too often it doesn't do what people >> expect it should do*. >> >> >> p >> >> * Or maybe the problem isn't Tomcat. > > I'm not looking to start a holy war here, but is there anything > incorrect in what I said? Tomcat is a servlet container, the servlet
Yes. You made a sweeping statement about container managed security which implied that things should just work. Someone has to make them work. As an app developer you might not have to worry about how the bits behind the API work, but some admin has to configure it properly. > API is a contract between the container and the developer, the > contract specifies how a developer would access role information > regardless of the implementation. Since the Realm implementation > assumes that Tomcat is doing the authentication and breaks when it > isn't Tomcat, isn't that a violation of the contract? No. I don't think it is. Your specific need might not be handled by the Realm implementations supplied with Tomcat, but that's not proof that either design of Realms is flawed or that Tomcat isn't spec compliant. > It's open > source, so I'm not complaining or demanding anything. I think I know > how to do what I need however that doesn't change the facts of the > situation that Tomcat does not have the built in capability for a > standard realm to simply retrieve user infomation as opposed to > authentication AND user retrieval that would enable Tomcat to maintain > its compliance while being fronted by Apache. The explanation you provided in your 3rd email doesn't sound like 'simply' to me. You also state that other servlet containers need a 3rd party agent to achieve the desired result. If your complaint is accurate then the other 3 servers you name must also 'violate the contract' because they don't provide what you need out of the box. p
signature.asc
Description: OpenPGP digital signature
