2017-04-01 15:17 GMT+03:00 André Warnier (tomcat) <a...@ice-sa.com>: > > I was also wondering why Konstantin, in his response, mentioned that it was > "by design" that the Realm has no access to the Request. Was that to avoid > some kind of problem, or to match the Specs or something ? >
Documentation says so. E.g.: "A Realm is a "database" of usernames and passwords" http://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html#What_is_a_Realm? One design bit driven by the servlet spec is that an Authenticator usually is not configured explicitly, but is created automatically, mapping an <auth-method> onto a class name. See Authenticators.properties file https://svn.apache.org/viewvc/tomcat/tc8.5.x/tags/TOMCAT_8_5_13/java/org/apache/catalina/startup/Authenticators.properties?view=markup The web application decides, what authentication protocol to use. Realms are configured explicitly, and we have one by default. In a few cases where I went with Tomcat authentication (instead of usual Spring Security library) and had special requirements (checks by IP, preauthentication) I implemented a Valve, not even an Authenticator. I am not proud of those, but they served a specific purpose. They were inspired by SingleSignOn valve. BTW, there are alternative technologies, JASPIC, JAAS, GSS (GSSContext in SpnegoAuthenticator) http://tomcat.apache.org/tomcat-8.5-doc/config/jaspic.html http://tomcat.apache.org/tomcat-8.5-doc/config/realm.html#JAAS_Realm_-_org.apache.catalina.realm.JAASRealm JASPIC has access to request & response.. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org