On 10/16/2015 5:51 AM, Mark Thomas wrote:
On 16/10/2015 11:44, Rémy Maucherat wrote:
What's not clear to me at this point is if jaspic should replace the
current "classic" auth methods. For example, the supposed benefit of jaspic
is that it makes container auth not proprietary, but looking at the code
that is there it sounds still quite proprietary in practice and almost
impossible to use from webapps. So what's the point exactly ?
The main benefit for me is that once Tomcat implements JASPIC, there are
a handful of 3rd party modules that users will then be able to use just
by adding the lib to Tomcat. It also provides a standard API for users
to work against if they want to develop their own custom modules. Those
modules would then be usable with any container that implements JASPIC.
Today if one wants a portable but custom authentication mechanism, one
has to forgo/remove security constraints from one's web.xml and
implement the mechanism as a servlet request filter -- with its own
security constraint configuration mechanisms.
My understanding with JASPIC is that one should be able to add
authentication mechanisms that (1) use the same code across any
container that supports JASPIC [as Mark notes] and (2) still use
standard security constraints in one's web.xml to configure
authentication constraints.
--
Jess Holle
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
