Glenn Nielsen wrote: > There are a number of different types of realm implementations in > org.apache.catalina.realm. These are all solely used for web application > realm based authentication except for those which implement the > UserDatabase which understands users, groups, and roles and has methods > for managing these. Also a UserDatabase can be instantiated as a JNDI > resource. > > It would be nice if all realm implementations could support not only > authentication > and authorization but also management of users, groups, and roles. And be > instantiated as a JNDI resource so it can be provided by the container as > a resource to a virtual host.
Requiring all realm implementations to support user management is not a good idea. Some realms can do that ( database, our own file, ldap) and some just can't ( passwd, kerberos/radius/tacacs, etc ). I think we have 3 distinct issues: - authorization: I think tomcat needs to expose a single hook and provide a default implementation ( using the mapper - it can also implement jsr115, but it needs to be efficient ) - authentication: again one hook that could be implemented by delegating to apache or use JAAS ( that should be the default - and all current Realms migrated to JAAS plugins ! ) - user management. That should be optional - and probably the best abstraction is JNDI. Besides user/pass/certificate it can store all other user attributes. I think we should be consistent on naming the attributes as in the inetUser LDAP schema ( it will work out-of-box with existing ldap servers and easy to translate to databases, etc ). All UserDatabase impl should be migrated to JNDI providers, and UserDatabase deprecated ( or implemented on top of jndi ). Costin -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
