>> >> The problem with the Realm system is its designed with the assumption >> that tomcat is doing the authentication which is not a valid >> assumption in an environment where the authentication is seperated >> from authorization. The entire point of container security is that as >> a coder I don't have to worry about how any of this is implemented. > > The problem with Tomcat is that all too often it doesn't do what people > expect it should do*. > > > p > > * Or maybe the problem isn't Tomcat.
I'm not looking to start a holy war here, but is there anything incorrect in what I said? Tomcat is a servlet container, the servlet API is a contract between the container and the developer, the contract specifies how a developer would access role information regardless of the implementation. Since the Realm implementation assumes that Tomcat is doing the authentication and breaks when it isn't Tomcat, isn't that a violation of the contract? It's open source, so I'm not complaining or demanding anything. I think I know how to do what I need however that doesn't change the facts of the situation that Tomcat does not have the built in capability for a standard realm to simply retrieve user infomation as opposed to authentication AND user retrieval that would enable Tomcat to maintain its compliance while being fronted by Apache. Marc --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org