On 17/06/2010 13:26, André Warnier wrote: > I must say that, with my limited knowledge of the Tomcat internals taken > into consideration, I tend to agree with Marc in this case, if he is > right in claiming that the Tomcat Realm mixes authentication with > authorization and does not allow to separate the two.
That is how Tomcat Realms are designed. This is consistent with the Servlet sepc that leaves the implementation details entirely to the container. If Tomcat required all authentication requests to be made via carrier pigeon then that would be spec complaint providing the correct information was exposed via the API defined in the spec. > At the very least, I would expect the Realm to check first if the > request already has a user-id, and skip the authentication part in such > a case. Easier said than done. The Realms deliberately have no visibility of the request or the response. The Authenticators extract the username and password, pass them to the realm to obtain an authenticated Principal (with roles) and then the Authenitcators populate the attributes that then support the calls in the Servlet API. The way to handle this (probably) is to modify the Authenticators (hopefully just the base class) to check for an already authenticated user. If one is found, use the realms just to get the roles. The implementation for that is already in place. It just needs adding to the interface and the visibility changed. Then you just need to figure out how to merge the existing Principal (that may have roles) with the new one that has the roles from the Realm. Tomcat 7's internal API has deliberately been declared as volatile inthe docs so now is the time to make these changes. Patches welcome. Note this won't get ported back to 6 due to the API changes required. > There are many cases out there were Tomcat is only a part of a more > complex system, where a network-wide authentication is required, while > the authorization part may still be one that only Tomcat can do. > > A naive linked question : is the <Realm> a purely Tomcat thing, or is it > mandated by the Servlet Spec ? 100% pure Tomcat. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org