https://bz.apache.org/bugzilla/show_bug.cgi?id=64715
Bug ID: 64715
Summary: PasswordValidationCallback not supported
Product: Tomcat 9
Version: 9.0.37
Hardware: PC
OS: All
Status: NEW
Severity: minor
Priority: P2
Component: JASPIC
Assignee: dev@tomcat.apache.org
Reporter: robert.rodew...@kopsis.com
Target Milestone: -----
The JASPIC 1.1 specification (section 4.9.2) requires a runtime to provide a
CallbackHandler that supports the PasswordValidationCallback. This callback is
not implemented in Tomcat.
I would like to provide a patch for this, but would like to check some details
first.
The callback has to be implemented in the CallbackHandlerImpl. This is
relatively straightforward but as we need the realm associated with the current
context to be able to check the password it can't stay a singleton.
So what I propose:
- change CallbackHandlerImpl from singleton to standard class (one per context)
- add parameter to constructor to pass the current context to the handler (not
the realm because this would break changing the associated realm through JMX)
- update initialization code in AuthenticatorBase accordingly
- implement the callback by calling context.getRealm().authenticate(user, pass)
(optional)
- when dynamic initialization of a CallbackHandler is used (see
jaspicCallbackHandlerClass config parameter of AuthenticatorBase), use
introspection to search for a "setContext" and pass the context to the handler
Any comments are wellcome.
Questions:
- Should I check some annotations (e.g. @Ressource) for the injection of the
context in case of dynamic instantiation?
- How about instantiating the default CallbackHandler the same way as the
dynamic class (no duplicate instantiation code, only a default class name)?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
