Re: [Pki-devel] Revocation investigation with Shared Tomcat instance

On 10/21/2014 12:47 PM, John Magne wrote: Here's the change history of the file: git log --follow base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java We did some cleanups, but I don't think we changed the functionality. On Tomcat the smallest scope that a realm can be configured is at Context level, so each web application (i.e. subsystem) can only have one realm. See http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Configuring_a_Realm). Also, Realm only has limited interface: - authenticate(username, password) - authenticate(certs) See http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/Realm.html. So there's no way for a realm to know which URL path or servlet the client is trying to access. Authentication has to be based on the above parameters only, so that's why the auth manager needs to be hard-coded. The Realm is only used by the CLI/REST services. It doesn't affect the auth mechanisms used by the existing servlets. Is there any need to use other auth managers with REST services? I believe the issue was originally filed for CLI, which always uses the CertUserDBAuthentication. So I think we should focus the investigation there. I'm not familiar with the other auth managers, so I don't know whether they are relevant for CLI. -- Endi S. Dewata