Although the specification does not cover whether the *ServerAuthModule *should be stateful or stateless, I think we'd better keep it stateless for scalability.
2009/4/5 Xie Xiaodong <xxd82...@gmail.com> > Thank you, David. > > After having a glance at JSR-196 Specification, the intuitive of design > decision is to implement the built in auth methods (BASIC, DIGEST, FORM, > CLIENT_CERT) of Tomcat Valve with ServerAuthModule. And I agreed the > difficulty of implementing the auth function into filter you mentioned in > previous mail, so I decided to implementing so independent structure > consistent with JSR-196. As this specification specified, the API is > something like this: > > > 1. AuthConfigFactory factory = AuthConfigFactory.getFactory(); > 2. AuthConfigProvider provider = > factory.getConfigProvider(layer,appID,listener); > 3. ServerAuthConfig config = > provider.getServerAuthConfig(layer,appID,cbh) > 4. String authContextID = config.getAuthContextID(messageInfo); > 5. ServerAuthContext context = > config.getAuthContext(authContextID,subject,properties); > 6. context.secureResponse(messageInfo,subject); > > And the functionality of formal Tomcat valve will be refactored into > ServerAuthModule which will be encapsulated by ServerAuthContext. > > I'll check where caching could be used for the efficiency. > > And I think it is import to go with the specification since it will allow > other developer to contribute their own code, and our code could also be > used by others. > > ps: I greatly agree with the structure you give in previous mail: > > check user data constraints > Status status = validate request > if (status == success) { > check web resource constraints > process request > secure response > } > > > > > > > 2009/4/5 David Jencks <david_jen...@yahoo.com> > > >> On Apr 4, 2009, at 3:01 PM, Xie Xiaodong wrote: >> >> Hello, Dear All, >>> First, thank you very much for you valuable comments, Mark. >>> I've revised my project plan based on the comments of Mark, since I >>> could >>> not edit my proposal any longer, I wrote the revised version of project >>> plan >>> in a comment of my proposal, you can find it for certain by searching the >>> "Show Student Proposal" page with "xiaodong xie wrote". Sorry for this >>> inconvenience. >>> I am now getting myself familiar with the Servlet Container Profile of >>> JSR-196 in order to move the Authentication funcationality of valve into >>> some independent structure consistence with JSR-196. This part will be >>> added >>> into my project proposal in some comment later. >>> Any more comments, feedback and criticism to my proposal are welcomed. >>> >> >> While it is possible to implement the built in auth methods (BASIC, >> DIGEST, FORM, CLIENT_CERT) as jaspi auth modules it's not as efficient as >> having a more tomcat-specific auth method. The important part is really >> having a validate request method called before the web resource constraint >> check and a secure response method called after the request has been >> processed. There are a lot of opportunities for improved caching if you >> don't follow the jaspi model exactly, mostly by letting the authenticator >> return the user identity rather than passing in a brand new Subject instance >> for each request. >> >> I recommend that the valve or filter look something like this: >> >> check user data constraints >> Status status = validate request >> if (status == success) { >> check web resource constraints >> process request >> secure response >> } >> //otherwise the validate request call will have set up an appropriate >> response to continue the authentication message exchange >> >> "validate request" and "secure response" are delegated to some kind of >> authenticator similar to but more efficient than a jaspi auth context >> >> constraint checking can either be (abstract) methods on the (base) valve >> or delegated to some other object. The point here is to easily support both >> constraint based checking (as done in tomcat today) and jacc based >> permission checking (as done in geronimo and presumably other javaee >> integrations such as jboss) >> >> thanks >> david jencks >> >> >>> >>> -- >>> Sincerely yours and Best Regards, >>> Xie Xiaodong >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >> > > > -- > Sincerely yours and Best Regards, > Xie Xiaodong > -- Sincerely yours and Best Regards, Xie Xiaodong