On Mon, 10 Feb 2003, Jim Krygowski wrote:
> Date: Mon, 10 Feb 2003 12:48:24 -0500 > From: Jim Krygowski <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: RE: JAASRealm/LoginManager questions > > Hi Bryan- > > I've done something similar to this on Tomcat and JRun. I noted in your > last comment: > > > But as you say prior, the filters aren't even being run, apparently, > > before the container evaluates j_username and j_password, so I guess I > > have no Servlet-standard hook there. I guess it's off to the > > Authenticator API I go. > > > > Heck, at least I can keep all the authentication logic in one place with > > that strategy, as opposed to splitting it between a Filter and a > > LoginModule. > > > > I'm not sure I completely understand your conclusion, but if you want to use > JAAS, you will need a login module. The custom Authenticator Craig speaks > of will automate the typical 2 step Form Authentication process. The > Authenticator doesn't interact with the security datastore, the LoginModule > does. > > I think rolling your authentication logic into the Authentictor might > violate the seperation of concerns inherent in the authenticator/login > module design. The Authenticator (like the FormAuthenticator) should be > responsible for the user side of the interaction: is the user session > authenticated? is the user offering credentials? where does the user want to > go? The LoginModule should be responsible for interacting with the security > data store and given a set of credentials, verifying that they are proper > and returning a Principal after successful authentication. > > BTW: I see a lot of value in what you are doing. It would be nice to have a > standard for single sign on that worked across all J2EE compatable servers. > However, as it stands now, you will have to write LoginModules and > Authenticator-type components for each container you encounter. > Making something like this possible is one of the key motivations for the new JSR on standardizing the interface between containers and authentication mechanisms. It'll be possible to do this kind of thing portably once that's done; in the mean time, it's container specific. Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
