On 30/03/2010 23:05, Christopher Schultz wrote: > All, > > One of the major architectural changes I've heard about coming in Tomcat > 7 is the removal of the Valve interface in favor of using the standard > javax.servlet.Filter interface.
Getting Tomcat 7 to move from Valves towards Filters is one of my pet projects. There is still a long way to go and it isn't at the top of my todo list. > IIRC, the current implementation of container-managed authentication and > authorization is done using a Valve (or series of Valves). It is currently a single Valve. > If Tomcat is moving to Filters rather than Valves, does that mean that > Tomcat authentication will be done using Filters, or is there some other > strategy in the works? The strategy is to move to filters. The tactics are somewhat lacking in detail. > I ask because a Filter-based authentication and authorization strategy > would duplicate the work of securityfilter (and probably be more > up-to-date, but that's beside the point). Potentially. I see security filter is essentially Apache licensed. Hmm. I feel a Baldrick[1] moment coming on. > I would actually prefer that Tomcat go with a Filter-based > authentication strategy because of the flexibility which can be achieved > by intercepting the call chain without having to dive into the internals > of Tomcat. > > What's the plan for T7-auth? At the minute, implement JSR-196 once the Servlet 3.0 is completed (it is very close) with a valve to filter move for authentication probably pushed back to Tomcat 8. SecurityFilter is an obvious starting point. How do you feel about contributing some patches with the aim of merging the SecurityFilter code into Tomcat? Is it feasible to do this incrementally or would it need to be in one big patch? Mark [1] http://en.wikipedia.org/wiki/Baldrick --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
