"Christopher Schultz" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Bárbara, > > Bárbara Vieira wrote: >> But if we have the Principal in cache, why we have to call the >> authenticator method(FormAuthenticator)? That call doesn't provide any >> additional security, can you understand now? > > That's a good question. Given the current implementation, it doesn't > seem to make sense. On the other hand, the original designers could have > determined that some /other/ authenticator might want to wrap (or > otherwise change) a request even if the Principal were already available. >
You can't easily wrap the TC internal Request for 5.5+. But this is the main reason. When deriving from AuthenticatorBase, the actual Authenticator implementation has the final say (via it's authenticate method) on who to except. The Authenticators that ship with Tomcat will accept that a previous Valve has authenticated the user (e.g. a custom SSO Valve), but that isn't actually part of the contract for Authenticator. This suggests that the OP would have an easier time if she created a custom Valve (that doesn't implement the Authentictor interface), say com.myfirm.mypackage.MySSLAuthValve, and in web.xml specify FORM auth. Since configured Valves get invoked before Container Valves (as TC is structured now), it would have first choice of authenticating. If MySSLAuthValve sets the Principal in the Request, then TC's FormAuthenticator will just quietly accept it. If it doesn't, then you get normal FORM auth from TC. > If you're writing your own, why not simply re-write the code the way you > think best and then test the heck out of it. Try the tomcat-dev list to > see if someone can answer. Perhaps it's just legacy code that could be > further optimized. > Suggestions on how to improve the Authenticators that ship with TC are always welcome on [EMAIL PROTECTED] But help on rolling-your-own-Authenticator will likely get you pointed back to this list :). > - -chris > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHTekx9CaO5/Lv0PARAoo/AJ47Gx7MrW/kVBkpjmu7b40dovvS4QCfWAlm > sQYLWxYa/+5ImWvYJNraz6w= > =wlbi > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
