"Kyle F. Downey" wrote:
Quick question: why does Catalina check with the Realm implementation on
every HTTP request, even after a successful authentication? Is it the
responsibility of the Realm to handle caching and expiring of credentials?
Seems to me that would lead to a good bit of replication of code among
Realm implementations.
If you are in a session, the authenticated principal is actually cached (in a
private variable inside the Session object). If you are not in a session, Catalina
has no choice but to authenticate you every time, because it has no way to know
that the second request came from the same person or not.
As a practical matter, when you are using BASIC and DIGEST authentication the
browser keeps sending the "Authorization" header on each request with a matching
"Realm", so the user does not see this happening -- but your Realm implementation
does.
Also, would there be any objection to my factoring out common functions
from MemoryRealm, JDBCRealm and JAASRealm into an "AbstractRealm" helper class?
There's a lot of cut-and-pasting to do when writing a Realm right now. I
can post said class for review, since I am not a committer.
There is already a RealmBase class which the current implementations subclass.
Would it make sense to migrate common functionality there instead of creating
another base class?
--kd
Craig
