geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <...@toolazydogs.com>
Subject RE: Jetty and JACC
Date Sun, 23 Nov 2003 17:10:44 GMT
Thanks for covering for me Dave!

> -----Original Message-----
> From: David Blevins [mailto:david.blevins@visi.com]
> 
> Greg,
> 
> Jumping in for Alan to get you some quick answers. I'm sure Alan will
> chime in later.
> 
> On Sun, Nov 23, 2003 at 02:06:51AM +0000, Greg Wilkins wrote:
> > Will JACC require the servlets (etc.) to be run as part
> > of a Subject.doAs(...), or is it just sufficient to associate
> > an AccessControlContext with a thread?
> 
> Associating the AccessControlContext with the thread is compliant, and
> *much* faster than a Subject.doAs.  As Alan explained to me,
Subject.doAs
> involves combinding all the protection domains in scope into one --
about
> a 100,000 nanoseconds.

Dave is correct, I associate an AccessControlContext with the thread
rather than perform a Subject.doAs.  I initially got caught up with all
that subject domain combiner stuff and ended up going w/ an
AccessControlContext which gets generated at login; see my
LoginModuleWrapper.

> > If the former (and probably in the later), I think we may want to
> > consider putting much of JACC into a container supplied Filter, as
> > it has the right calling semantics. Also a filter will be more
portable
> > between containers and is in line with some ideas floated on JSR154
> > regarding pluggable authentication in the next rev of the servlet
spec.
> 
> A filter will work beatifly for checking WebResourcePermission and
> WebUserDataPermission.  The WebRoleRefPermission is checked as the
result
> of a isCallerInRole callback, so a little more magic will be required
> there.

A filter for authorization sounds interesting.  Would this be something
like the SecurityHandler that's in Jetty?


Regards,
Alan



Mime
View raw message