Costin Manolache wrote:
Yes, I know ;-) It's not too often that people talk about refactoring that part of Tomcat, so I wanted to mention that issue.Remy Maucherat wrote:I'll only be talking about HTTP authentication and the interaction with the realms for now. The main problem is that some authentication schemes need the realm to function (digest, for example). So I don't see how we can put that layer of processing in Coyote, since we need access to the realm to perform it. However, the code in the current authenticators will enventually be rewritten Coyote-style (and using tomcat-util objects) so that it actually performs well.That's orthogonal and not the subject of this discussion ( the proposal is about authorization, not authentication ).
Also the issue of using coyote hooks ( Action ) or a custom interface is orthogonal on what information is needed, in both cases the implementation
of the authentication hook ( or interface ) will have access to the same
information ( Request, user info, etc ).
Yes, you can indeed pass the necessary information as a parameter.
I don't care that much about the hook mechanism (the current one works ok), but the user storage is certainly broken, and this part of Tomcat could generally be more elegant (but maybe something implementing FORM cannot be made to be elegant :-P ).I think a refactoring of the realms is needed in order to support any auth scheme (most realms don't work with digest). To be able to do
+1.
I would add to the wish list better support for web server integration.
It would be nice ( at least for jni mode ) to be able to have the native server call the hook to auth static resources - but the real
important thing is allow the native server do it ( and the countless auth modules ).
We should probably standardize on storing the limited digest defined in the RFC in the realms instead of the clear password or some kind of unusable digest of the password.
I like the move to split the storage of the info about user from Realm,
as well as the split of authorization/authentication. I don't like the current abstraction for user info ( and the fact that all users need to be in memory ), and I would preffer use of a consistent hook
mechanism ( coyote Action ) instead of special interfaces.
Remy
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
