Hello.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 5/20/14, 4:28 AM, Mark Thomas wrote:
On 20/05/2014 09:11, Jan Vávra wrote:
Hello.
I write my own realm implementation for Tomcat 7.x. In the
method Principal authenticate(X509Certificate[] certs) I'd like
to read request headers. My authentication would be based on
client certificate + custom http request value. Is it possible?
In Tomcat, the Authenticator is responsible for gathering the
credentials. This often requires interaction with the Request and
related objects.
The Realm is responsible for validating credentials. Therefore the
Realm does not need access to the Request and related objects.
This is something that securityfilter supports using a sub-interface
of the Realm (analog) interface that has the ability to access the
request directly. It's a bad architecture, but very useful for doing
things such as recording login failures and their source IP addresses,
etc.
Is there some way that additional information (e.g. source IP address)
could be provided to the Realm for things such as this? It's one of
the reasons we still use sf instead of Tomcat's built-in realms.
(Another is the lack of decent password-checking algorithms, but I'm
working on that:
https://issues.apache.org/bugzilla/show_bug.cgi?id=56403).
Well, I looked at Chris's SecurityFilter and I'll go the same way. I'll
get rid of realm and write my own simple security filter. We also plan
to support OAuth 2.0 authentication where is transferred auth. header in
form Authorization: Bearer xxxxx. And in other cases I need to combine
clicert auth with basic auth. In the other project we' re also behind an
authentication system that sends my tomcat X-Authorized-As header.
So I have many reasons to access the Request object and writing the
filter seems me as the only way how to authenticate web service method
(server side).
Jan.
*
Thanks,
- -chris
