IMHO filters like securityfilter are the right solution for authentication, users can use them in any container and have full control over everything.
It is possible to add some hooks into tomcat so that filters like this can fully replace the built-in authentication, for example using 'magic' attributes so you don't have to depend on container-specific APIs - +1 on that. I haven't looked at the code, I have close to 0 free time this month - the main issue with bringing this code into apache or tomcat is community, i.e. having enough developers who can actively maintain it. Costin On Fri, Apr 30, 2010 at 9:50 AM, Mark Thomas <ma...@apache.org> wrote: > On 29/04/2010 17:38, Christopher Schultz wrote: > > David, > > > > On 4/28/2010 6:40 PM, David Jencks wrote: > >> I'd be curious how many of the features in securityfilter can be done > >> with servlet 3 (which includes the ability for an app to > >> programatically force a login) and jaspic (jsr 196) which provides > >> for pluggable authentication dialogs between client and server (to > >> overly simplify it). It looks to me as if all the features in your > >> brief description are now supported by ee specs, which also offer the > >> advantages of container managed authorization. > > > > I guess my question would be "how much of servlet 3 has been implemented > > in TC7 at this point"? sf could be the basis for both the new features > > required by the spec as well as achieving the internal goal of > > converting Valves to Filters. > > The Servlet 3.0 stuff is pretty much finished. Just the odd bug to iron > out. JSR 196 hasn't been looked at yet. > > Mark > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
