On Fri, 25 Oct 2002, vsajip (yahoo.com) wrote:
> Date: Fri, 25 Oct 2002 23:06:29 +0100 > From: "vsajip (yahoo.com)" <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Problems with Tomcat4 Security Design > > I'm having problems using the Tomcat 4 security design for a slightly > customised requirement. I've created a custom realm for an external > information provider which, when I authenticate a user, gives me a token (in > the form of an essentially opaque object). This token needs to be passed > back to the external provider when accessing data protected by that > realm/external provider. I also need to enable single sign-on for a whole > virtual host. > > I've got almost everything working correctly - my custom realm authenticates > correctly, and SSO with it works. However, I can't do anything useful with > the external information provider, since the current design provides no way > to put the token object from the realm into a request, where it could be > accessed by a servlet, JSP etc. This is because the realm has no access to > the request - you need an authenticator for that. I tried subclassing > FormAuthenticator, but it's of no use - an authenticator has to be placed > into a context, and can't be placed into a host! So to achieve SSO, I have > to add the authenticator as a valve into every Context. I'd rather not do > this unless it's unavoidable - and anyway, what would be the way of getting > the token out of the realm into the authenticator? Can anyone suggest a > clean alternative way of getting things to work in the scenario I've > described? > > Also, why is it necessary to have getPassword(String username) and > getPrincipal(String username) in every Realm, especially as they all return > null except for the versions in MemoryRealm? > > The idea of orthogonal realm and authenticator is nice in theory, but it > seems that what I need is something like an Authenticator and Realm rolled > into one. I'd appreciate any comments from those of you with experience in > this area. (This is my first post to the list, so please be patient if I > have missed something simple. I have searched the mailing-list archive for > similar problems and found no joy.) > Sounds like you really should write a custom Authenticator that doesn't use the standard Realm back end. Nothing requires you to do that -- and, since you'd need a custom Realm anyway, you might as well just combine everything into a single class. By the way, Tomcat has standard support for single sign on. The actual implementation of this won't help you, but the design addresses one of your concerns. You embed the <Valve> element that implements this in the <Host> element, instead of in the <Context> element -- then, it is automatically applied to all requests for all webapps installed on that virtual host. That way, you don't have to manage a non-default configuration for every single webapp. You might want to see if something similar helps you with your custom SSO authenticator (which is really a Valve under the covers). > Thanks, > > Vinay Sajip Craig -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
