Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 18525 invoked from network); 18 Mar 2009 16:37:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 18 Mar 2009 16:37:16 -0000 Received: (qmail 21199 invoked by uid 500); 18 Mar 2009 16:37:13 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 21019 invoked by uid 500); 18 Mar 2009 16:37:12 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 20648 invoked by uid 99); 18 Mar 2009 16:37:12 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Mar 2009 09:37:11 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jgawor@gmail.com designates 74.125.46.30 as permitted sender) Received: from [74.125.46.30] (HELO yw-out-2324.google.com) (74.125.46.30) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Mar 2009 16:37:03 +0000 Received: by yw-out-2324.google.com with SMTP id 3so84367ywj.85 for ; Wed, 18 Mar 2009 09:36:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Linhm4t4UOYeJquc57QuBkqreNOMS2m7Ee7zqJMLF0Y=; b=wRf3xHwgg0ejBQSIGC7uPa6d3VMDYqNZiWqer5XdlPoWqRRU0x27AVM9L2u7XHNYsD IYHVHN+UOJ/4vpTkdMKTbtQpr+ssQeM96R9buJ6nQnO1sMJbQ2u2NF4DLWOnIiCHvszp zcxJysmov3y9GcLEiveoHEbUFMRDZJx2CgE6k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=Y11vInJDfZqXUOxNqDwtLqHctDhMHTyJbGR/Spt6tAm7jas71rf26faLxU9OEmKLLT zZDuZRz8jWI8wsLobhmE5heJYiGAjGAaMBpewUKLqF4xhQwdSn9oSthiy2qsbKU7ifzG u1LjKDVBYzjEo2ssl2+xtsUNf4BCRa2UA/m30= MIME-Version: 1.0 Received: by 10.231.19.70 with SMTP id z6mr507160iba.29.1237394201814; Wed, 18 Mar 2009 09:36:41 -0700 (PDT) In-Reply-To: References: <5eb405c70903171030h684e788er5c0969879c66a157@mail.gmail.com> Date: Wed, 18 Mar 2009 12:36:41 -0400 Message-ID: <5eb405c70903180936ma4b3ca0jb35e0045feb07929@mail.gmail.com> Subject: Re: Jacc questions From: Jarek Gawor To: dev@geronimo.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Tue, Mar 17, 2009 at 1:56 PM, David Jencks wrot= e: > > On Mar 17, 2009, at 10:30 AM, Jarek Gawor wrote: > >> Hi, >> >> Looks like with the Jacc API there is no easy way to set multiple >> types of handler data objects on the same thread at the same time (see >> PolicyContext.setHandlerData()). That is, if for example, if a servlet >> makes a ejb call, from within the ejb we won't be able to retrieve the >> HttpServletRequest object using the PolicyContext API since the >> HttpServletRequest object will be replaced with the ejb call info >> object on the thread. >> >> So what's the best way to deal with this problem? >> >> One way to solve it, it would to set the handler data object to some a >> Map and set the handler data objects on the map. That would work as >> long as nothing else calls PolicyContext.setHandlerData() and replaces >> the map with some other object. >> >> Another way to solve it, it would be to create a GeronimoPolicyContext >> class (or something like that) which would support setting multiple >> types of handler data objects on the same thread at the same time (e.g >> GeronimoPolicyContext.setHandlerData(key, data)) AND modify Geronimo's >> PolicyContextHandlers to use GeronimoPolicyContext to get the right >> object for the handler. But with this solution we might be ignoring >> what's set using PolicyContext.setHandlerData(). >> >> Thoughts? > > The alleged purpose :-) of the policy context handler data is to provide > context info for permission evaluation. > > To me the main problem is that in this scenario: > > servlet (servlet request) >>>ejb (ejb method params) > return to servlet (still have ejb method params) > > the servlet can't use the servlet request to evaluate role-ref permission= s > after the return from the ejb. I see, that's a problem too. > We could solve this problem by having each data handler have its own thre= ad > local and when you call setHandlerData it delegates to all the handlers > which will store it if its the right type. =A0This solves the "lots of in= fo at > once" problem but prevents you from clearing the data when you are done > unless we have some custom object for each handler that it recognizes to > clear its own data. > > So the handler would have a method like > > public boolean setHandlerData(Object data) { > if (data instanceof HttpServletRequest) { > =A0servletData.set(data); > =A0return true; > } else if (data =3D=3D CLEAR_OBJECT) { > =A0servletData.remove(); > =A0return true; > } > return false; > } Or maybe we should just expose set()/unset() type of methods on each PolicyContextHandler implementation (to set/unset the thread local variable) and just call those methods within our code. Otherwise, (and if I understand you right) we would have to modify how PolicyContext.setHanderData() works to have it call all the registered handlers. And that would require some new interface to put on the handler implementations or some reflection code. Jarek