"Terry Zhou" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] >Tomcat does have a realm in different level(Engine,Host,Webapp) for >security. >Check http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html Personally, I believe that the original Realm mixed up the authentication & authorization. It should be seperated into Authorizer & UserRealm.
The reason why I suggest to add user package is that the source code of the original implementation is not easy to be integrated into the source code of web-app. Principal is web-app dependant HttpServletRequest.getRemoreUser() returns the name of the user of the request. When we use certificates, the return object is not well defined since there is no name here. HttpServletRequest.getUserPrincipal() doesn't have a good definition, either. It just says the principal name of the current authenticated user. So, what is in the returned Principal object is up to the container, too. However, the reason to have such a method is to let the web-app can access it. And so, the returned Principal should be web-app dependent. We had better to ask the web-app to implement the Principal if the web-app care who the user is. In such a case, we had better leave the authentication to the web-app (in UserContext), too. If the web-app doesn't care at all, then we can use GenericPrincipal as the current implementation. [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
