Over the last few weeks, there has been a high degree of interest in
having a Realm implementation for Tomcat 4.0 that authorizes users via a
JNDI-accessed directory server (typically, but not limited to, LDAP
servers). There have been proposed contributions on both TOMCAT-USER and
TOMCAT-DEV towards this end.
I'd like to combine the best features of these submissions, but wanted to
get some feedback and agreement on overall goals before doing so. Here's
my list so far:
* Usable via JNDI 1.2 (or the JNDI classes built in to J2SDK 1.3).
* Does not interfere with existing use of JNDI APIs inside Catalina,
or in user web apps.
* Pluggable initial context factory, and factory initialization
parameters (so you can use any JNDI-accessible service you want).
* Configurable access to the internal data elements and attributes,
so we don't have to predefine the structure (in the same way that
JDBCRealm lets you configure table and column names).
* Reuse functionality in existing Realm implementations as appropriate
(may cause a little minor refactoring along the way).
* Support for two major modes of operation:
* SYSTEM LOGIN. Realm implementation binds itself to the server using
a system-level username/password, then reads the username and password
attributes to perform authentication (analogous to how JDBCRealm
works). Would also support the optional digesting functionality that
JDBCRealm supports.
* USER LOGIN. Realm implementation attempts to bind to the server
using the username and password specified by the user. If this is
successful, the user is considered to be authenticated, and the
associated roles are looked up.
Comments? Questions? Changes?
Craig
