geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Bartel <>
Subject Re: Jetty and JACC
Date Thu, 20 Nov 2003 20:40:24 GMT
Alan D. Cabrera wrote:
> I'm looking at Jetty v5.0alpha and it's not clear to me where the best
> place is to hook in authorization.  While authentication seems pretty
> pluggable, via the UserRealm interface. 

Yes, specializing the UserRealm and Jetty's UserPrincipal are the way to 
go. Take a look at the JettyPlus stuff in 
$JETTY_HOME/extra/plus/src/org/mortbay/jaas package for some examples.

> It seems the only way to plug
> in authorization is to replace the SecurityHandler, which seems to be a
> little draconian.
> You may need a little background.  JACC requires that authorization
> decisions go through a JACC policy provider and it's pretty specific
> about how this is done.  I was hoping to drop in a Geronimo web
> authorization module that takes a principal, data constraint, method,
> path, and deployment id, and perform this JACC authorization check.  It
> seems that a way to drop in a replacement for the static method
> SecurityConstraint.check() would be handy.  It's not clear to me how I
> would get the deployment id from there.

I haven't looked at the JACC stuff (yet) so these are just initial 
comments until I catch up on my reading ....

You don't necessarily have to replace a particular Jetty Handler. 
Handlers are arranged in a chain, so to introduce new behaviour it is 
possible to just insert another Handler in the chain. Not sure if this 
will be possible here or not.

Also, there is an access point into the web app context that is called 
as a thread enters and leaves a web app which might be another place to 
look at if you need to set up any thread local stuff (we've already 
subclassed the standard Jetty web app as 

Finally, however it is done, we need to keep in mind that we must also 
be able to plug-in other web containers.

> Thoughts?

Let me have a read of the JACC spec so I have a better understanding 
what is required and I can comment better.


View raw message