https://bz.apache.org/bugzilla/show_bug.cgi?id=57708
--- Comment #4 from Mark Thomas <ma...@apache.org> --- I did look at this yesterday and I got as far as having something ready to commit but I'm not entirely happy with. The question is where to do the authorization. If authorization is done in the CoyoteAdaptor (the Context and therefore the Realm is available) then it will work regardless of the Authenticator implementation that is used. The down side is that it happens before the Principal caching that avoids large numbers of Realm lookups is reached (this is in AuthenticatorBase). It also makes an assumption that the request mapping won't changed (e.g. by the RewriteValve). If authorization is done in AuthenticatorBase then Connector authorization depends on the Authenticator implementation and that doesn't seem right. I've looked at several options and - so far - all of them have issues. I'll spend some more time thinking about this. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
