1 Reply Latest reply on Nov 26, 2005 5:20 AM by Scott Stark

    Custom Header Based Authentication

    Anil Saldanha Master

      This issue relates to the JIRA task:

      Tomcat has authenticators for the http auth methods - form, basic,client-cert and digest. Each of these authenticators gather the required information to establish identity - username/password, certs, digest etc. And then this information is passed to a ream configured at the context level.

      The methods that are relevant are from the realm interface:

       public Principal authenticate(String username, String credentials);
       public Principal authenticate(String username, byte[] credentials);
       public Principal authenticate(String username, String digest,
       String nonce, String nc, String cnonce,
       String qop, String realm, String md5a2);
       public Principal authenticate(X509Certificate certs[]);

      Issue 1:
      As you see, for the custom header based authentication, the realm interface is inadequate. There is a need to extend this realm interface to consider the headers passed in the request for authentication and generation of a Principal.

      So maybe interface methods:
       public Principal authenticate(Header[] headers)
       public Principal authenticate(Cookies[] cookies)

      Issue 2:
      The authenticators have to be beefed up to handle the extended Realm interface. So either we have custom authenticators or the tomcat base authenticators have to be beefed up to consider the extended realm interface.

      Related JIRA issue:

      Thoughts - design feedback - pointers welcome.

        • 1. Re: Custom Header Based Authentication
          Scott Stark Master

          I would just add a generic:

          public Principal authenticate(Header[] headers, Map data);

          method to the Realm interface for a generic callout. The AuthenticatorBase does not handle authentication other than sso reauthentication. Whatever specific Realm authentication method that the authenticator wants to use is up to the authenticator.

          There is still the question of the SingleSignOn of the AuthenticatorBase.