Hola Costin:
Comments intermixed below.
> - public int authorize( Request req, Response response,
> String roles[] )
> - {
> - if( roles==null ) {
> - // request doesn't need authentication
> - return 0;
> - }
> -
> - Context ctx=req.getContext();
> -
> - String userRoles[]=null;
> -
> - String user=req.getRemoteUser();
> -
> - if( user==null )
> - return 401; //HttpServletResponse.SC_UNAUTHORIZED
> -
> - if( this.equals(req.getNote(reqRealmSignNote)) ){
> - return 0;
> - }
IMHO we cannot lost this last check, as is the way multiple Overlapping
Realms can be used , we need to distinguish between the realm that
actually authenticate a user, to let it do the authorization..., this
was the idea behind the realmSignNote, how can we that now?.
>
> + // XXX XXX XXX Nacho, I think Digest should be part of
> the Credential
> + // module, so it's used by all Realms.
> +
but if we do things that way, how can i configure a JDBCRealm to use
digested passwords and others dont?? we will need to use a private
CredentialsInterceptor for the context that needs Digested passwords ?
Saludos ,
Ignacio J. Ortega
