"Jack" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > In tomcat, "Realm" has such a definition: A Realm is a "database" of > usernames and passwords that identify valid users of a web application (or > set of web applications), plus an enumeration of the list of roles > associated with each valid user. This is exactly a UserManager should do. > > > > I guess the reason why we use "Realm" here is that at the beginning of the > web, Realm is used to contain authorization & authentication together just > like the MemoryRealm in Tomcat. With time, other things were removed from > Realm gradually. > > > > Actuall, realm should be a group of resources & the action can be > performed on it. > > > > Users will be prompted by such information: In order to allow you to > access the realm: xxxxx, please provide us your identity. User can choose > to provide certificate or username & password pair whatever is right. At > the beginning of web, only username & password is used. > > > > Apache is still using the "Realm" in its right meaning: > Realms: Areas of Controlled Access > In terms of voluntary control mechanisms on the Web, each protected area, > whether it be a single document or an entire server, is called a realm. > When a server challenges a client for credentials, it provides the name of > the realm so the client can figure out which credentials to send. > > > > Realm should return to its true meaning: a group of resources, like > SecurityConstraint in tomcat. > > We need to seperate UserManager from Realm.
Patches are always welcome ;-). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
