geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <>
Subject RE: Jetty and JACC
Date Sun, 23 Nov 2003 17:45:50 GMT

> -----Original Message-----
> From: Jan Bartel []
> What will be the relationship between JAAS login module authentication
> and jacc WebRoleRefPermission checking? Pre-jacc, isCallerInRole ()
> implemented by examining the list of Principals representing roles
> were populated by a JAAS login module at authentication time. With
> the checking is done by equating the role with a Permission and
> if the Principal of the caller has been granted the permission, so
> JAAS login modules be granting a Permission for each role a user is

The mapping of Permissions to principals using roles occurs at
configuration time.  Look at PolicyConfiguration.commit(), this is where
the mapping takes place and allows for a simple permission check w/ a
principal instead of mapping roles on the fly.  This is an important
difference, once commit is called, roles are no longer used since all
permissions have been directly mapped to principals.

When you login using the registered GeronimoLoginConfiguration, see
LoginPropertiesFileTest for an example, the LoginModuleWrapper creates
an AccessControlContext for the authenticated Subject and registers that
context w/ that subject.  When a user makes a call on the interceptor
stack, the Subject gets pushed into the context via 


When you do a permissions check, see EJBSecurityInterceptor, the
AccessControlContext that is associated w/ the Subject is grabbed and
checkPermission is called.  This call, in turn, calls the registered
Policy provider, see GeronimoPolicy.implies().

I am contemplating the idea of having container providers provide a
PolicyConfiguration factory for their containers.  These
PolicyConfigurations would be optimized for the abilities of their
containers.  For example, the generic Geronimo container passes around
the Method instance per call.  The OpenEJB Nova container has a method
index making certain optimizations, e.g. using bitvecs for permissions,
available.  OpenEJB Nova would register its own
PolicyConfigurationFactory for its containers for the security server to

> I'd like to start integrating Jetty's authentication mechanism with
> Geronimo's. I've had a quick look in the core security package.
> special I need to know?

I've already started to take a crack at this.  Here's a piece.  You have
to set the MBeanServer for the GeronimoLoginConfiguration since there
can be multiple MBeanServers in the JVM.  (I'm not particularly pleased
w/ the way I have to do this and would appreciate some ideas on this)
The call to PolicyContext.setContextID() sets the context id which my
Policy implementations uses to pick up the right PolicyConfiguration.

public class JettyWebApplicationContext extends WebApplicationContext {
    private Context componentContext;
    private MBeanServer server;
    private String contextID;
    private Log log =

    public JettyWebApplicationContext() {

    public JettyWebApplicationContext(String webApp) {

    public Object enterContextScope(HttpRequest httpRequest,
HttpResponse httpResponse) {"Entering context " + httpRequest.getRequestURL());
        return super.enterContextScope(httpRequest, httpResponse);

    public void leaveContextScope(HttpRequest httpRequest, HttpResponse
httpResponse, Object o) {
        super.leaveContextScope(httpRequest, httpResponse, o);
        PolicyContext.setContextID(null);"Leaving context " + httpRequest.getRequestURL());

    public Context getComponentContext() {
        return componentContext;

    public void setComponentContext(Context componentContext) {
        this.componentContext = componentContext;

    public MBeanServer getServer() {
        return server;

    public void setServer(MBeanServer server) {
        this.server = server;

    public String getContextID() {
        return contextID;

    public void setContextID(String contextID) {
        this.contextID = contextID;

View raw message