6 Replies Latest reply on Aug 3, 2006 1:13 PM by anil.saldhana

Changes to Realm Interface sought

anil.saldhana Aug 3, 2006 11:21 AM

Remy/Mladen, I propose the following method addition to the Realm interface for Tomcat 6. This would take care of the needs for header based authentication (which may include some form of SSO/Identity Management usecases) and JSR-196 (Java Authentication Container SPI) needs.

public Principal authenticate(Request request, Response response,
 LoginConfig loginConfig) throws Exception;

The current limitation with the Realm interface is the loss of the request object during authentication.

1. Re: Changes to Realm Interface sought

j2ee_junkie Aug 3, 2006 12:06 PM (in response to anil.saldhana)

sweet! That would really allow authentication to open up to more than just a username and password. The only argument that I could make would be if a Realm is an abstraction of a set of principals and the roles/permissions they are allowed, should a realm really have any knowledge of a httpServletRequest/Response?

later, cgriffith
Actions
2. Re: Changes to Realm Interface sought

rmaucher Aug 3, 2006 12:20 PM (in response to anil.saldhana)

No, this seems more like a job for a custom authenticator.
Actions
3. Re: Changes to Realm Interface sought

starksm64 Aug 3, 2006 12:48 PM (in response to anil.saldhana)

This is needed to support custom authenticators. The current hard-coded mapping of authentication credentials to the Realm interface does not allow for authentication mechanisms outside of those currently understood by the servlet spec.
Actions
4. Re: Changes to Realm Interface sought

anil.saldhana Aug 3, 2006 12:59 PM (in response to anil.saldhana)

AFAICT, introduction of a custom authenticator , will not make the call-out to a realm mandatory, because there is no requirement on the custom authenticator to call the realm interface. It can do its job inhouse. But this will lead to a lot of duplication in authenticator code.

It certainly does not make sense for the realm interface to have scaled down information plucked from the request object.
Actions
5. Re: Changes to Realm Interface sought

j2ee_junkie Aug 3, 2006 1:10 PM (in response to anil.saldhana)

Bypassing the realm as you state has another possible side-effect. It will break current Tomcat authorization calls (which are made to the Realm). So that is not good.
Actions
6. Re: Changes to Realm Interface sought

anil.saldhana Aug 3, 2006 1:13 PM (in response to anil.saldhana)

Hence the need for support in Realm interface (or atleast RealmBase with an extra method I suggested) to support authentication greater than the four stripped down authenticate methods that are legacy.

When JSR-196 becomes mandatory for JEE6, there will be a push for this anyway.
Actions

Go to original post