I'm looking into putting my own authentication and authorization
implementations between users and a servlet.

I can imagine 3 tomcat locations where I can call the authentication
and authorization implementations:

1. from a servlet
2. from a connector
3. from an interceptor

If the user doesn't have a certificate, I would like to get a
username/password that I could authenticate with Kerberos or some
other mechanism.

After I find out who the user is, I want to determine what the user is
allowed to do.

The interceptor seems like an attractive solution as the
RequestInterceptor class has authenticate and authorize methods. I
have no idea how to get my own subclass of this into tomcat.

The connector seems like an attractive solution as it seems to be
active between the user and a servlet. It also seems to be something
that is external to tomcat and that tomcat can dynamically load. I'm
not sure how I would configure tomcat to find my connector and at what
point in the authentication/authorization process it would be executed.

The servlet seems a little bit too far along in the application to be
doing authentication/authorization. Each servlet would need to call
the same authentication/authorization code and I can imagine that it
might be a little difficult to keep the versions under control.

So, I was wondering if somebody could point me in the right direction
for
choosing the architectural point to deal with this problem and at some
doc with an example that I might use to get me going.

Currently, we don't have internal support for version 5 of tomcat only
version 4.x, but I could install version 5 if it makes this problem
easier
to solve.

Thanks,

--Chuck


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)