> TAI lets you write a custom authentication mechanism
> that can let you do things like redirect to an
> external login page, check some success token and
> assert a principal on the request.
>
> I think it only happens for unauthenticated requests,
> but it sounds like 196 happens every request.
the servlet contract, requires that the authmodule be called on every request, to ensure that the authmodule can manage sessions, which making sure that the auth module gets a chance to establish the user principal when a request is made to an unprotected resource following a request to a protect page.
>
> IMHO, the TAI interface looks significantly cleaner.
> It takes a request, response and the status is all
> returned in a TAIResult object which contains a
> status ala AuthStatus as well as a location to assert
> the principal.
>
> The spnego example for 196 seems to push and pull and
> a lot stuff into a lot of places in the messageInfo
> and clientSubject as well as returning the
> appropriate AuthStatus.
> Just seems like a lot of moving parts... anyways...
>
> I was trying out a small 196 implementation, but I
> got a little stuck on the configuring the application
> piece.
>
> In your blog, when you said "sun-web-app.xml", did
> you mean to say "sun-web.xml"?
yes sorry
>
> Could you provide a sample of what
> "httpservlet-security-provider attribute" should look
> like?
>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "
http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="" httpservlet-security-provider="testProvider">
<context-root>/FBLTest</context-root>
<security-role-mapping>
<role-name>user</role-name>
<group-name>user</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="classdebuginfo" value="true">
<description>Enable debug info compilation in the generated servlet class</description>
</property>
<property name="mappedfile" value="true">
<description>Maintain a one-to-one correspondence between static content and the generated servlet class' java code</description>
</property>
</jsp-config>
</sun-web-app>
fwiw, the GFAUthCOnfigProvider understands sun-web.xml and domain.xml. if you would like to configure your provider in another way, you can implement your own AuthConfigProvider, and register it at the factory, for your app.
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=269106