In reviewing references to Java EE (and J2EE) remaining in the Tomcat 10
repo I found the following:
<quote source="webapps/docs/config/realm.xml">
JAASRealm is prototype for Tomcat of the JAAS-based J2EE authentication
framework for J2EE v1.4, based on the <a
href="https://www.jcp.org/en/jsr/detail?id=196";>JCP Specification
Request 196</a> to enhance container-managed security and promote
'pluggable' authentication mechanisms whose implementations would be
container-independent.
</quote>
JSR became JASPIC (now Jakarta Security) and Tomcat has an implementation.
Searching through the mailing lists I found the following references to
usage of the JAASRealm (going back ~5 years).
[1] Tomcat 7 user using JAAS based auth to an LDAP server
[2] Tomcat 9 user using SPNEGO with the JAAS realm
[3] Tomcat 8.5 user using SPNEGO with the JAAS realm
[4] Tomcat 7 users with custom CLIENT-CERT auth based on JAAS realm
[5] User wanting access to HttpServletRequest during auth
Most, if not all, of those have better solutions available than the JAAS
Realm. And those wanting some form of custom auth do have the "proper"
Jakarta Security API to work with.
Therefore, I'm not currently seeing a good reason to keep the JAASRealm.
Any objections to immediate deprecation with removal planned for 10.1.x?
Mark
[1] http://markmail.org/message/ndvr5ilxovoo4ins
[2] http://markmail.org/message/5ocdnmqvvlvjsxas
[3] http://markmail.org/message/wki275i5yhlg3yyo
[4] http://markmail.org/message/av2sv6g4kgm6ouu4
[5] http://markmail.org/message/fm4ggo3ge4r47gar
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
