geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <>
Subject RE: Jetty and JACC
Date Mon, 24 Nov 2003 01:21:28 GMT

> -----Original Message-----
> From: Jan Bartel []
> Sent: Sunday, November 23, 2003 4:22 PM
> To:
> Subject: Re: Jetty and JACC
> Alan,
> > The mapping of Permissions to principals using roles occurs at
> > configuration time.  Look at PolicyConfiguration.commit(), this is
> > the mapping takes place and allows for a simple permission check w/
> > principal instead of mapping roles on the fly.  This is an important
> > difference, once commit is called, roles are no longer used since
> > permissions have been directly mapped to principals.
> I'm still missing a piece of the puzzle (musn't have had enough coffee
> this morning). I understand that at deploy time for a webapp, the
> web.xml is parsed and a bunch of policy statements are created and
> loaded into the Policy provider. These policy statements are then
> evaluated at runtime by the Policy at the instigation of the
> Some checks involve the identity of the user executing the code and
> roles that the user has been granted. Usually, the roles for a user
> discovered and cached when the user authenticates . Are you saying
> this dynamic behaviour is no longer possible and that the container
> load all users and their roles once-only at deploy time instead so
> they can be mapped to Permissions? If so, then I have two concerns: 1)
> scalability  2) manageability.

I'm probably over explaining everything.  I think that we're saying the
same thing.  I just want to stress that after deployment, roles are no
longer directly used.  A user's principals are obtained at login, this
is virtually the same as saying the "roles for a user are discovered and
cached when the user authenticates".

> Thanks for the JettyWebApplicationContext stuff, have you committed
> cheers
> Jan

View raw message