geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <...@toolazydogs.com>
Subject RE: Jetty and JACC
Date Mon, 24 Nov 2003 01:21:28 GMT


> -----Original Message-----
> From: Jan Bartel [mailto:janb@mortbay.com]
> Sent: Sunday, November 23, 2003 4:22 PM
> To: geronimo-dev@incubator.apache.org
> Subject: Re: Jetty and JACC
> 
> Alan,
> 
> > The mapping of Permissions to principals using roles occurs at
> > configuration time.  Look at PolicyConfiguration.commit(), this is
where
> > the mapping takes place and allows for a simple permission check w/
a
> > principal instead of mapping roles on the fly.  This is an important
> > difference, once commit is called, roles are no longer used since
all
> > permissions have been directly mapped to principals.
> 
> I'm still missing a piece of the puzzle (musn't have had enough coffee
> this morning). I understand that at deploy time for a webapp, the
> web.xml is parsed and a bunch of policy statements are created and
> loaded into the Policy provider. These policy statements are then
> evaluated at runtime by the Policy at the instigation of the
container.
> Some checks involve the identity of the user executing the code and
the
> roles that the user has been granted. Usually, the roles for a user
are
> discovered and cached when the user authenticates . Are you saying
that
> this dynamic behaviour is no longer possible and that the container
must
> load all users and their roles once-only at deploy time instead so
that
> they can be mapped to Permissions? If so, then I have two concerns: 1)
> scalability  2) manageability.

I'm probably over explaining everything.  I think that we're saying the
same thing.  I just want to stress that after deployment, roles are no
longer directly used.  A user's principals are obtained at login, this
is virtually the same as saying the "roles for a user are discovered and
cached when the user authenticates".

> Thanks for the JettyWebApplicationContext stuff, have you committed
it?
> 
> cheers
> Jan
> 


Mime
View raw message