geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Bartel <>
Subject Re: Jetty and JACC
Date Thu, 20 Nov 2003 22:45:21 GMT

Just had a quick scan of the spec before I go off to my day job. Is it a 
fair summary to say the scope of the issue is this:

1. conversion of web.xml declarations into jacc permissions
    and registration of same with external (in this case Geronimo)
    Policy provider
2. registration by servlet container of various Policy context handlers,
    esp. a HttpServletRequest Policy handler
3. servlet container enforced checking of jacc permissions at various
4. movement of the servlet container's existing security checking on
    URL patterns etc into an external Policy provider implementation

Seems like the jacc spec crosses over with the servlet spec in regards 
URL pattern matching and security constraint specifications. This may be 
an issue. Also seems like this is a pretty deep, fundamental shift in 
the structure of the servlet container to support this stuff.

This will need some thought. I'll forward this to Greg to get his 
feedback on it.


>>You don't necessarily have to replace a particular Jetty Handler. 
>>Handlers are arranged in a chain, so to introduce new behaviour it is 
>>possible to just insert another Handler in the chain. Not 
>>sure if this 
>>will be possible here or not.
> It's not possible since the web container must solely rely on the JACC
> permission check.  If I put a JaccHandler in the chain, after the
> SecurityHandler, it effectively short circuits the JACC permission check.
> If I put the JaccHandler before the SecurityHandler, it virtually removes
> the SecurityHandler.
>>Also, there is an access point into the web app context that 
>>is called 
>>as a thread enters and leaves a web app which might be 
>>another place to 
>>look at if you need to set up any thread local stuff (we've already 
>>subclassed the standard Jetty web app as 
> Good idea.  Thanks for the pointer.
>>Finally, however it is done, we need to keep in mind that we 
>>must also 
>>be able to plug-in other web containers.
> Yep, I think I'm there on that account w/ the basic building blocks, their
> mbeans, and utility classes.
>>Let me have a read of the JACC spec so I have a better understanding 
>>what is required and I can comment better.
> Some advice, skim chapter three.  It's a tedious spec on how to translate
> the descriptors into sets of Permissions.  Chapter 4 is where the tire hits
> the road, more specifically section 4.2.
> Regards,
> Alan
> ---------------------------------------------------------------- 
>       Visit our Internet site at 
> Get closer to the financial markets with Reuters Messaging - for more
> information and to register, visit <> 
> Any views expressed in this message are those of  the  individual sender,
> except  where  the sender specifically states them to be the views of The
> Reuters Group.

View raw message