-
1. Re: Changes to Realm Interface sought
j2ee_junkie Aug 3, 2006 12:06 PM (in response to anil.saldhana)sweet! That would really allow authentication to open up to more than just a username and password. The only argument that I could make would be if a Realm is an abstraction of a set of principals and the roles/permissions they are allowed, should a realm really have any knowledge of a httpServletRequest/Response?
later, cgriffith -
2. Re: Changes to Realm Interface sought
rmaucher Aug 3, 2006 12:20 PM (in response to anil.saldhana)No, this seems more like a job for a custom authenticator.
-
3. Re: Changes to Realm Interface sought
starksm64 Aug 3, 2006 12:48 PM (in response to anil.saldhana)This is needed to support custom authenticators. The current hard-coded mapping of authentication credentials to the Realm interface does not allow for authentication mechanisms outside of those currently understood by the servlet spec.
-
4. Re: Changes to Realm Interface sought
anil.saldhana Aug 3, 2006 12:59 PM (in response to anil.saldhana)AFAICT, introduction of a custom authenticator , will not make the call-out to a realm mandatory, because there is no requirement on the custom authenticator to call the realm interface. It can do its job inhouse. But this will lead to a lot of duplication in authenticator code.
It certainly does not make sense for the realm interface to have scaled down information plucked from the request object. -
5. Re: Changes to Realm Interface sought
j2ee_junkie Aug 3, 2006 1:10 PM (in response to anil.saldhana)Bypassing the realm as you state has another possible side-effect. It will break current Tomcat authorization calls (which are made to the Realm). So that is not good.
-
6. Re: Changes to Realm Interface sought
anil.saldhana Aug 3, 2006 1:13 PM (in response to anil.saldhana)Hence the need for support in Realm interface (or atleast RealmBase with an extra method I suggested) to support authentication greater than the four stripped down authenticate methods that are legacy.
When JSR-196 becomes mandatory for JEE6, there will be a push for this anyway.