Re: Realms and User Sessions.

[Mark Diggory]

I just wanted to finish up this thread...

Mark R. Diggory wrote:

>>
>>

 If you want to modify the state of the current request or session, you
 should really be looking at subclassing one of the existing 
 Authenticator
 classes, instead of trying to do that in the Realm.

>>
>> The Authenticator is chosen based on which  you select.  
>> One
>> of the four Authenticator valves will be selected automatically, based on
>> the mapping in the Authenticator.properties file in the
>> o.a.c.authenticators package.
>>
> 
> All the Authenticators (Form, Basic,Digest...) appear to be 'final' in 
> my catalina.jar archive (tomcat 4.0.1) making them not extendable.
> 
> I could subclass AuthenticatorBase, but would that mean my Authenticator 
> was unavailable in the o.a.c.startup.Authenticator.properties file ?
> 
> Does this mean I'll have to configure and rebuilt tomcat to use my 
> Authenticator?
> 
> -Mark Diggory
> 
> 
> 
> -- 
> To unsubscribe:   
> For additional commands: 
> Troubles with the list: 
> 



--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: Realms and User Sessions.

[Mark R. Diggory]

>
>
>>>
>>>If you want to modify the state of the current request or session, you
>>>should really be looking at subclassing one of the existing Authenticator
>>>classes, instead of trying to do that in the Realm.
>>>
>
>The Authenticator is chosen based on which  you select.  One
>of the four Authenticator valves will be selected automatically, based on
>the mapping in the Authenticator.properties file in the
>o.a.c.authenticators package.
>

All the Authenticators (Form, Basic,Digest...) appear to be 'final' in 
my catalina.jar archive (tomcat 4.0.1) making them not extendable.

I could subclass AuthenticatorBase, but would that mean my Authenticator 
was unavailable in the o.a.c.startup.Authenticator.properties file ?

Does this mean I'll have to configure and rebuilt tomcat to use my 
Authenticator?

-Mark Diggory



--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: Realms and User Sessions.

[Craig R. McClanahan]

On Mon, 18 Feb 2002, Mark R. Diggory wrote:

> Date: Mon, 18 Feb 2002 20:20:43 -0500
> From: Mark R. Diggory <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: Realms and User Sessions.
>
> >
> >
> >
> >I assume you are talking about Tomcat 4, right?
> >
> Yes.
>
> >
> >If so, there is no way for the Realm itself to reference the user's
> >session -- all a Realm knows how to do is answer the "is this user
> >authorized" and "does this user have the right role" type questions.
> >
> >If you want to modify the state of the current request or session, you
> >should really be looking at subclassing one of the existing Authenticator
> >classes, instead of trying to do that in the Realm.  The Authenticator has
> >complete access to the current request, so you can get the session via:
> >
> >  HttpSession session =
> >((HttpRequest) request.getRequest()).getSession();
> >
> >Don't forget to put the classes for the objects you might create into
> >common/lib so that they are visible to both Catalina and your webapp.
> >
> >
> >Craig
> >
> Well, I learn something new every day
>
> So, let me see if I have this correct.
>
> 1.) I define a  pointing to my custom authentication class in my
> server.xml (in my webapps context).
>
> 
>  debug="0"/>
> 
>
> 2.) Dump my files into tomcat/common to support that valve.
> 3.) Then define any security constraints required by my webapp in its
> web.xml file.
>
> 
> Administration Pages
> 
> Protected Area
> 
> /Administration/*
> 
> 
> 
> administrators
> curators
> 
> 
> 
> 
> FORM
> Example Form-Based Authentication Area
> 
> /Authority/login.jsp
> /Authority/error.jsp
> 
> 
>
>
> After this any security constraints should activate the
> Valve/Authenticator and not a Realm for authentication? How does Tomcat
> know which Authenticator to use?
>

The Authenticator is chosen based on which  you select.  One
of the four Authenticator valves will be selected automatically, based on
the mapping in the Authenticator.properties file in the
o.a.c.authenticators package.

> Just make sure, does this still in any way require the use of a Realm class?

There still needs to be a Realm that actually looks up users in a
database, but the choice of Realm is orthagonal to the choice of
Authenticator -- any combination of the two is valid.  As with a standard
Tomcat install, the Realm can be either directly associated with a
Context, or inherited from the owning Host or Engine.

>
> -Mark
>

Craig


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: Realms and User Sessions.

[Mark R. Diggory]

>
>
>
>I assume you are talking about Tomcat 4, right?
>
Yes.

>
>If so, there is no way for the Realm itself to reference the user's
>session -- all a Realm knows how to do is answer the "is this user
>authorized" and "does this user have the right role" type questions.
>
>If you want to modify the state of the current request or session, you
>should really be looking at subclassing one of the existing Authenticator
>classes, instead of trying to do that in the Realm.  The Authenticator has
>complete access to the current request, so you can get the session via:
>
>  HttpSession session =
>((HttpRequest) request.getRequest()).getSession();
>
>Don't forget to put the classes for the objects you might create into
>common/lib so that they are visible to both Catalina and your webapp.
>
>
>Craig
>
Well, I learn something new every day

So, let me see if I have this correct.

1.) I define a  pointing to my custom authentication class in my 
server.xml (in my webapps context).





2.) Dump my files into tomcat/common to support that valve.
3.) Then define any security constraints required by my webapp in its 
web.xml file.


Administration Pages

Protected Area

/Administration/*



administrators
curators




FORM
Example Form-Based Authentication Area

/Authority/login.jsp
/Authority/error.jsp




After this any security constraints should activate the 
Valve/Authenticator and not a Realm for authentication? How does Tomcat 
know which Authenticator to use?

Just make sure, does this still in any way require the use of a Realm class?

-Mark





--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: Realms and User Sessions.

[Craig R. McClanahan]

On Mon, 18 Feb 2002, Mark R. Diggory wrote:

> Date: Mon, 18 Feb 2002 18:01:20 -0500
> From: Mark R. Diggory <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Realms and User Sessions.
>
> There are some objects I create inside my Custom Security Realm that I
> want to make available in the Users session. Is there a way I can get
> hold of the users session from within my custom realm class?
>

I assume you are talking about Tomcat 4, right?

If so, there is no way for the Realm itself to reference the user's
session -- all a Realm knows how to do is answer the "is this user
authorized" and "does this user have the right role" type questions.

If you want to modify the state of the current request or session, you
should really be looking at subclassing one of the existing Authenticator
classes, instead of trying to do that in the Realm.  The Authenticator has
complete access to the current request, so you can get the session via:

  HttpSession session =
((HttpRequest) request.getRequest()).getSession();

Don't forget to put the classes for the objects you might create into
common/lib so that they are visible to both Catalina and your webapp.

> -Mark Diggory
>

Craig


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Realms and User Sessions.

[Mark R. Diggory]

There are some objects I create inside my Custom Security Realm that I 
want to make available in the Users session. Is there a way I can get 
hold of the users session from within my custom realm class?

-Mark Diggory



--
To unsubscribe:   
For additional commands: 
Troubles with the list: