-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sreyan,
On 9/9/15 12:49 PM, Sreyan Chakravarty wrote: > Okay can you please guide me on how to log the bug. That would be > great. If possible you could do it yourself also. 1. Register for Bugzilla at bz.apache.org 2. Fill-out this form: https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208 (You can get here from inside BZ, of course, but here's the link just in case you need it.) 3. Take care to describe this as best as you can. Feel free to reference this thread on the list; links to things like markmail.org are great because readers can easily follow them to get the context of the discussion, even if it's not fully contained in the bug report 4. If you're up for it, propose a patch. You'll get your name into the changelog for all eternity :) > And as far as opinions go I really don't know. The whole process of > Realms seem confusing to me and its overtly complicated. Presumably you mean "overly complicated". It's actually not once you understand the complexity of what's being implemented. The Authenticator/Realm split exists because any combination of authentication mechanism (HTTP Basic, HTTP Digest, FORM, TLS-CERT, etc.) and credential-storage mechanism (e.g. JDBC database, Java Truststore, flat-file, etc.) needs to be supported. I've always thought that the names (authenticator and realm) were bad and confusing (especially because HTTP Basic/Digest uses the term "realm" to describe the general thing-to-which-you-are-authenticating). Perhaps better names would be: authenticator = credential soliciter realm = credential validator But these names are far too historic to change, now. The good news now is that the realms support better than the least effort possible for a security system. The best you could do a year ago was to use a single run-through of a supported hash algorithm, and the default was MD5. Yuck. So, the fact that you can plug-in your own algorithms for credential mutation is a really great system. To wire-in scrypt a year ago would have been a mess, unless you just wanted to write your own Realm that only supported a single authenticato r. Anyhow, things are getting better thank to contributions from the community. Welcome to the community :) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8JYgAAoJEBzwKT+lPKRYIoAP/0ibxPVquauuMJK/qf05H+iy pUpfplwh1U0WyzhC/B1V2NV7WIxf5QzaX4ld/3EJUu7yZLujA7qRrhMVN+WsCoKw KghKyXgaLq0kWXQMXn1Aoe/9hiG32XQA59aR3Um+i8fNBv66aoIMj7albHeVFhTG Dzf3QJAgjU3EKB4vxf+UKomfJkbr4SBOo12NXcQ37Pb5TPgFeHX//5RJBe0xS3Uh XD+OSYDWi0gMOJfJK5bTar0gpSumzeOu+mX7iPJ6j7QLX1z73bcwG0WTRU0KRqlO BQjZMe7qLL4Q+G4cbN4UV1lRdO7NYQ7IStHV8r05orY6BZmglaLKTEOHaqRKw2MQ coaMArpu9eZOz0PN8HdhPT4u6N4EpYlahDZgqrY8hQlwGjatQHGAzdWeQ0i0Mmr+ BnVZT6vozA1d0tx8OUdmyWucgVy252s5iwCa9SZiaMpjugQbEpX9tYu8EQVQREZy 1UWrKcIlOGJ5be1iPWHq1yk6MEdAMDffHvhZdgzCshtzMy/tJ+VgntSjUzsJnu16 TmnlOgcWr5B/DK/ixH6BriHr4fWMLZAhsBR/WST5zgO/4CP0eZeoAGjma5B6V3pJ Dcw3WvSpgq6dxbHJu8UxFjX3h6bwAEpLtyFo1fH2LwIfzkLN4UEikq7Rxfmcg9K/ j2lu4amIXCn5pmxzahH7 =Ux0j -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org