-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 12/10/17 3:11 PM, Mark Thomas wrote: > On 09/12/17 19:41, Christopher Schultz wrote: > > <snip/> > >> If there is any appetite for such a thing in Tomcat, I'd be happy >> to propose a change to bring e.g. an AuthenticationListener >> interface which could listen for events of this type and include >> information such as username, IP address, and possibly other >> useful information. > > I think this is a specific case of this more general request: > > https://bz.apache.org/bugzilla/show_bug.cgi?id=59750 +1 > Now is a good time to implement that, before 9.0.x becomes final > and the API is (mostly) fixed. > > There are a couple of different ways of doing this, depending on > how backwards compatible we want to be. I'm currently leaning > towards: > > - add new methods to Realm (duplicate existing authentication > methods and add HttpServlet) > > - implement the new methods in RealmBase that simply defaulted to > calling the old methods minus the HttpServlet Securityfilter basically provided an interface that included the HttpServletRequest, and if the "Realm" implemented that interface, the more-specific method was called instead of e.g. authenticate(String,String). I'm not sure which is faster: an "instanceof" check or a dispatch to a method which re-dispatches to another method. I'd guess they are roughly equivalent and the performance difference doesn't matter much. It's much more of an architectural decision. I have to say that I'm not super-happy with using HttpServletRequest for that purpose (because it then ties Tomcat Realms to HTTP) but, honestly, when are these realms going to be used outside the context of Tomcat, where HTTP is the primary protocol to be serviced? > Then custom Realms could extend RealmBase, override those methods > and gain access to the additional info. > > It isn't the only option. Is there a > > It is TBD if we deprecate the old methods. Maybe deprecate in 9.0.x > with a view to dropping in 10.0.x I see no need to deprecate the old methods, especially if we provide a default implementation that merely passed-through to the old authenticate() method(s). As for custom Realms, I'm more interested in obtaining the IP address of the user attempting to authenticate *without* having to implement my own custom realm. This was the whole point of the CredentialHandler interface: to allow users to implement the smallest part of the process in a custom way. I'd like to do the same for IP-address handling... there's no particular reason why a user should have to subclass + re-implement a bunch of (admittedly, mostly delegate) methods just to record failed logins from a particular IP address. What do you think about a Listener interface for login success/failure? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlouraQACgkQHPApP6U8 pFhAnRAAv3TtegBG0jTXE1Gfh/UDJRJE3uBRm1tBwdrjGpO8ObVrJDqb9JaDQqVL EA2hqJ4wrkDb2SPcZBclCrHWF+5nrTJRINLsI8nsx4LSVlPzsZihACMks18tYxyx HA3l3GYiHnD2ULboU6bnh9a8mtCCDVDNSPVYfN+yeGREkbPvYgtv2rmr2N7b32/A s8ziGsbB2N7KnPsALXJUzlNAu6x26laFqlX1cN/irmBRhLP4/wIB+X5pPdxnDvna aVbZH137dvb7Whlrt3oMCBqLKGw4u+kh25UIhbKfyjRO1DPQRIaSy9ozUpqtgLfG CwEn8ac/xuULVDz+DuMjGFJr1OUOYXUsfvATJzxU+swVqSc4Yjj52+v+wunPe9ag wj6TMAGY0Gcmju5AOet/AvRTsZf5J/ar+MYnvga3py10m6mIlDJZG7TkIZfR0xvB u69yNcHOMdfF5kQMc4ONhGo29q4w+0apKw/4Mxhe6oF72ybr+QNQGFUEGlWKKJmV q8b2QJFkl+hDEYb83D+Sn5yFK8dqecR6aOTUuCeoa+DYbRRw3FgHqqvDzvl3Z0ci qnrwzyc3c7viJStEKAE+4ILqKFgowZSaaB2RQjSoEQcOAUXYL3zAjR26MwEY0n15 ZucvDwdB6Hc5kiBllEBNt/ugARb/IV1IVUa9xBf9E+mXq3OkIaw= =Z4Ym -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
