Michael,
On 5/7/24 14:06, Michael Osipov wrote:
Folks,
I am working on a custom Authenticator and Realm where I need to pass
down a custom value to Realm#authenticate(), more specially a value
obtained from javax.security.auth.Subject#getPrivateCredentials().
Currently, there is no such facility in the interface. Any idea how to
pass this down w/o touching the interface and w/o thread-local values?
The only thing I can think of is a custom realm interface, but that
means every realm needs to implement it...
This is the entire reason that the securityfilter[1] project exists.
It's quite old but gets around this kind of thing with... a custom
interface. We use it at $work because we want to be able to get IP
addresses to log logins and login failures.
Tomcat's Realm-related interfaces have always been too restrictive for
me, but I'm not entirely sure how to get around them.
I had a conversation with markt years ago at an ApacheCon event where I
asked about strategies to help out with this sort of thing, and his
relatively quick answer without thinking about it too much was to
suggest that (a) anything new and major should probably go into the
JASPIC/Jakarta Authentication component and (b) JASPIC/Jakarta
Authentication might already be able to do what I wanted.
I didn't follow-up at the time, so I can't validate whether he was right
about (b) or whether (a) would have been particularly easy/hard.
-chris
[1] https://securityfilter.sourceforge.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org