[securityfilter-devel] Early authorization in sf
Brought to you by:
chris_schultz,
maxcooper
Menu
▾
▴
[securityfilter-devel] Early authorization in sf
|
From: Christopher S. <ch...@ch...> - 2008-06-12 12:48:47
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I'm working on re-architecting sf so that it is easier to understand, and more extensible. I've been looking at section 12.7.3 of the servlet specification (v2.5) which says that missing <security-constraint> or <auth-constraint> constraints on a particular request mean that the request should be authorized. Since sf allows authentication at any time, should this "early authorization" trump the need for authentication at all? I'm guessing "no". That would prevent authentication from occurring unless constraints were placed on the URL being requested, which is probably not intended at all. So, if there is no security-constraint or no auth-constraint, then the request will be considered authorized. If the request contains authentication information (according to one of the authenticators, of course), then we will process it. If authentication fails, we will take appropriate action depending on the type of authentication (BASIC, DIGEST, FORM, or CLIENT-CERT). So, "early authorization" is, in fact, not early at all (I had been using a method that is called before the authentication to determine if the request is authorized before any additional processing occurs). Thus, all authorization may be performed /after/ authentication. Does that all sounds right? Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhRGx4ACgkQ9CaO5/Lv0PBbYQCfSUwsyC7ydEpK0GuDZMbYua6Y LyAAn3ZHJBnHv8NNM9Ajq5UZ/wiOJ4eV =YLOq -----END PGP SIGNATURE----- |
