In tomcat, "Realm" has such a definition: A Realm is a "database" of 
usernames and passwords that identify valid users of a web application (or 
set of web applications), plus an enumeration of the list of roles 
associated with each valid user. This is exactly a UserManager should do.



I guess the reason why we use "Realm" here is that at the beginning of the 
web, Realm is used to contain authorization & authentication together just 
like the MemoryRealm in Tomcat. With time, other things were removed from 
Realm gradually.



Actuall, realm should be a group of resources & the action can be performed 
on it.



Users will be prompted by such information: In order to allow you to access 
the realm: xxxxx, please provide us your identity. User can choose to 
provide certificate or username & password pair whatever is right. At the 
beginning of web, only username & password is used.



Apache is still using the "Realm" in its right meaning:
Realms: Areas of Controlled Access
In terms of voluntary control mechanisms on the Web, each protected area, 
whether it be a single document or an entire server, is called a realm. When 
a server challenges a client for credentials, it provides the name of the 
realm so the client can figure out which credentials to send.



Realm should return to its true meaning: a group of resources, like 
SecurityConstraint in tomcat.

We need to seperate UserManager from Realm.






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to