-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Semen,
Semen Vadishev wrote: > Christopher, > > 2007/10/9, Christopher Schultz <[EMAIL PROTECTED]>: >>>> You cannot do this with Tomcat's authentication mechanism. You will >>>> have to provide an alternative implementation. I recommend looking >>>> st securityfilter ( http://securityfilter.sourceforge.net ). >>> Well, securityfilter doesn't satisfy some servlet's requirements >> Like what? > > Sorry if I was wrong, but does security filter supports such auth-methods as > BASIC, DIGEST, etc.? It was pointed that "BASIC authentication will be > supported in an upcoming 1.1 release" at > http://securityfilter.sourceforge.net . But at > http://sourceforge.net/projects/securityfilter/ I found some newer release > notes, but I found nothing about added support of other auth methods. Right. The documentation for securityfilter is horrible. Fortunately, there's not much code there, so it's possible to go into it and see if something is implemented and how. I do not believe that securityfilter supports BASIC, DIGEST, or CLIENT-CERT authentication schemes. It might support BASIC, but I don't use that so I don't know. >> ...why you want your own servlets to do the authorization instead >> of the container (or securityfilter)? > > This is the main question. Today we decided to do nothing new with > authentication and use special "guest" user in the first version of servlet. I'm not sure what that means. > And only if users will ask for anonymous access I described earlier, we'll > develop custom mechanism or maybe use security filter. I'm not convinced you need either. You can use the built-in Tomcat authentication to do logins. You can also use the built-in authorization, but it looks like you don't want authorization at all: you want a site that basically lets anyone use it, but also allows logins for other things (but you haven't mentioned any of them). Tomcat can do this: just don't make anything protected except for a single "protected" page that can be used to trigger a login request. > As I understood you > represents interests of security filter's developers (sorry if it's mistake) Not really. I use securityfilter because Tomcat's implementation does not meet my needs (I need to be able to accept unexpected logins instead of first requesting a protected resource), but I am not a contributor. > it will be great if you' ll look at servlet's code I'm not going to read through your code to figure out your requirements. >>> It will be my first implementation, so any help will be appreciated. >> >> First servlet implementation, or first authentication and authorization >> implementation? > > First authentication and authorization implementation. Again, I don't think you need to implement anything yourself, whether you use Tomcat's built-in A&A or if you use securityfilter. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHC9599CaO5/Lv0PARAufGAKCrMiD2hgTWGtDcoNaO8uWTZwOmaACginZ9 e2Wo5D5k6CgMMXBfnOH5udE= =MB4n -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]