"Kyle F. Downey" wrote:
> Quick question: why does Catalina check with the Realm implementation on
> every HTTP request, even after a successful authentication? Is it the
> responsibility of the Realm to handle caching and expiring of credentials?
> Seems to me that would lead to a good bit of replication of code among
> Realm implementations.
>
If you are in a session, the authenticated principal is actually cached (in a
private variable inside the Session object). If you are not in a session, Catalina
has no choice but to authenticate you every time, because it has no way to know
that the second request came from the same person or not.
As a practical matter, when you are using BASIC and DIGEST authentication the
browser keeps sending the "Authorization" header on each request with a matching
"Realm", so the user does not see this happening -- but your Realm implementation
does.
>
> Also, would there be any objection to my factoring out common functions
> from MemoryRealm, JDBCRealm and JAASRealm into an "AbstractRealm" helper class?
> There's a lot of cut-and-pasting to do when writing a Realm right now. I
> can post said class for review, since I am not a committer.
>
There is already a RealmBase class which the current implementations subclass.
Would it make sense to migrate common functionality there instead of creating
another base class?
>
> --kd
Craig