Hi, See you guys are making good progress with the JASPIC implementation in Tomcat.
One commit that I noticed is the following: https://github.com/apache/tomcat/commit/3e1b4931867a12a74e9e9fe7ff86484cc65a21e6 It says: "Remove the programmatic login/logout override, as I don't see how JASPIC can interact with it." I haven't looked further for the exact context here, but in general JASPIC interacts with both the corresponding methods in HttpServletRequest. In case of login(), an exception has to be thrown when a SAM is configured. The rationale is that a SAM can't handle just login(), as a SAM is an authentication mechanism that may or may not delegate to an identity store. Login() is intended to go to a server specific identity store (Tomcat calls it realm). Since there's no standard mechanism for a SAM to delegate to this server specific identity store, it can't handle login(), hence the exception. In case of logout(), next to what the server normally would do, the SAM's cleanSubject() method has to be called. Hope this helps. Kind regards, Arjan Tijms -- View this message in context: http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5043520.html Sent from the Tomcat - Dev mailing list archive at Nabble.com.
