geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <>
Subject RE: Jetty and JACC
Date Thu, 20 Nov 2003 23:53:43 GMT

> -----Original Message-----
> From: Jan Bartel []
> Just had a quick scan of the spec before I go off to my day job. Is it
> fair summary to say the scope of the issue is this:

When you speak of the scope of the issue, do you mean the scope of the
spec?  I ask this because points 1 and 2 are already done.

> 1. conversion of web.xml declarations into jacc permissions
>     and registration of same with external (in this case Geronimo)
>     Policy provider
> 2. registration by servlet container of various Policy context
>     esp. a HttpServletRequest Policy handler
> 3. servlet container enforced checking of jacc permissions at various
>     points
> 4. movement of the servlet container's existing security checking on
>     URL patterns etc into an external Policy provider implementation

Items 3 and 4 are intertwined, no?  I'm not sure why your broke them
into two parts.

> Seems like the jacc spec crosses over with the servlet spec in regards
> URL pattern matching and security constraint specifications. This may
> an issue. 

You seem to be correct in that JACC outlines how the security constraint
checks are to be performed, using Permissions.  The semantics should be
the same.

> Also seems like this is a pretty deep, fundamental shift in
> the structure of the servlet container to support this stuff.

I don't think that this is a fundamental shift in the structure of the
Jetty servlet container to support this stuff.  I think that all we need
to do to support the JACC authorization is to make the
SecurityConstraint.check() method pluggable.  The rest works w/ Jetty as
is.  If I have time, I'll toss something up on Jira for you to look at.

> This will need some thought. I'll forward this to Greg to get his
> feedback on it.



View raw message