geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Jacc questions
Date Tue, 17 Mar 2009 17:56:39 GMT

On Mar 17, 2009, at 10:30 AM, Jarek Gawor wrote:

> Hi,
> Looks like with the Jacc API there is no easy way to set multiple
> types of handler data objects on the same thread at the same time (see
> PolicyContext.setHandlerData()). That is, if for example, if a servlet
> makes a ejb call, from within the ejb we won't be able to retrieve the
> HttpServletRequest object using the PolicyContext API since the
> HttpServletRequest object will be replaced with the ejb call info
> object on the thread.
> So what's the best way to deal with this problem?
> One way to solve it, it would to set the handler data object to some a
> Map and set the handler data objects on the map. That would work as
> long as nothing else calls PolicyContext.setHandlerData() and replaces
> the map with some other object.
> Another way to solve it, it would be to create a GeronimoPolicyContext
> class (or something like that) which would support setting multiple
> types of handler data objects on the same thread at the same time (e.g
> GeronimoPolicyContext.setHandlerData(key, data)) AND modify Geronimo's
> PolicyContextHandlers to use GeronimoPolicyContext to get the right
> object for the handler. But with this solution we might be ignoring
> what's set using PolicyContext.setHandlerData().
> Thoughts?

The alleged purpose :-) of the policy context handler data is to  
provide context info for permission evaluation.

To me the main problem is that in this scenario:

servlet (servlet request)
 >>ejb (ejb method params)
return to servlet (still have ejb method params)

the servlet can't use the servlet request to evaluate role-ref  
permissions after the return from the ejb.

We could solve this problem by having each data handler have its own  
thread local and when you call setHandlerData it delegates to all the  
handlers which will store it if its the right type.  This solves the  
"lots of info at once" problem but prevents you from clearing the data  
when you are done unless we have some custom object for each handler  
that it recognizes to clear its own data.

So the handler would have a method like

public boolean setHandlerData(Object data) {
if (data instanceof HttpServletRequest) {
   return true;
} else if (data == CLEAR_OBJECT) {
   return true;
return false;

But, basically I think this is a  spec defect.

david jencks

> Jarek

View raw message