On Thu, 25 Oct 2001, Antony Bowesman wrote:
> Date: Thu, 25 Oct 2001 14:12:36 +0300
> From: Antony Bowesman <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Getting HttpRequest inside Realm/Tomcat 4
>
> Hi Craig,
>
> Thanks for your comments again.
>
> > You're right ... there is nothing there to do this. The original
> > design was based on the idea that Realm simply encapsulates a
> > service that authenticates a user, given a username and some
> > credentials. In addition, it needs to work even when HTTP sessions
> > are not in use (for example, for BASIC authentication).
> >
> > One strategy for dealing with this might be to register a session
> > event listener and registers your session in the sessionCreated()
> > event handler.
>
> I like the realm and general design in TC4, it's much better and cleaner
> than 3.2. However, I think there is something missing in the realm
> interface authenticate methods, particulary for form login:-
>
> If you modify a login form to include a field other than j_username and
> j_password so the user can select some kind of 'post login preferences'
> it is not possible to get this extra field to the realm.
>
The mechanics of form-based login was the subject of no little amount of
discussion in the JSR-053 expert group during the development of Servlet
2.3. The idea of supporting additional fields was discussed somewhat, but
in the end we decided to punt on making any big-time changes, because it
became obvious that this problem has a larger scope than just logging
users in to a web application.
One of the outgrowths of that realization is another JSR that you might
want to keep track of (via <http://www.jcp.org>:
JSR #115 -- Java(tm) Authorization Service Provider
Contract for Containers
Once this is fleshed out, Tomcat can be modified to support the new
SPI contracts, and your Realm-equivalent implementation will itself be
portable to different containers if it conforms. Until then, though, I'm
a little gunshy about mucking around with the Realm interface.
> We use JAAS for authentication. JAAS allows and one of the login
> modules authenticates against our EJB user repository and loads user
> preferences (groups/roles etc) and one feature the user can select is
> their preferred role set for the session.
>
> I don't think the event listener will work for our use, following login,
> so it seems the following is how I can achieve what I want.
>
> Replace the org.apache.catalina.authenticator.FormAuthenticator with my
> own FormAuthenticator class by modifying the Authenticators.properties
> and extend the realm interface to pass either a map of http request
> parameters, or in fact the http request itself. My realm can do what it
> wants.
>
That seems like a reasonable strategy.
> What about passing the Request object as a parameter to the Realm
> interface authenticate() methods for 4.1 release.
>
> And how about having only a JAAS realm in standard tomcat and just
> provide different login modules for jdbc/jndi/other access.
>
> JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for
> Tomcat 4?
>
The current supported minimum is JDK 1.2.2. And, I thought JAAS required
1.4 -- am I mis-remembering?
> BTW, I saw you offered your BOF slides to someone, are they available?
>
I assume you mean my BOF on container-managed security, right? Forwarded
under separate cover.
> Rgds
> Antony
>
Craig
