geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Enable Declartive Security in Jetty ?
Date Fri, 17 Sep 2010 17:29:24 GMT

On Sep 17, 2010, at 12:44 AM, Ivan wrote:

> Hi,
>     While looking at some Servlet Security JIRAs, I begun some code refactors on the
SpecSecurityBuilder, including :
>     a. Add more Info class for the security configurations, and serialize those in the
.ser file, with them, it would avoid the xml parsing on the startup time and make the codes
look simple

excellent idea!

>     b. Use ServletContext more in the SpecSecurityBuilder, as it is more helpful for
some calculations, such as get the mapping urls for the target servlet.

I'm not sure what you mean here, but I haven't looked closely at SpecSecurityBuilder.  Could
you be more specific?

>     To make these functions work, especially the option b. it requires to enable declarative
security in Jetty integration, generally speaking, will adopt the same way as Tomcat integration
>     a. create a Wrapper class for ServletContextHandler.Context class, so that we could
monitor those new added dynamic servlets. One thing might be care is that the codes need to
distinguish the servlets from web.xml, as they are also added by ServletContext now in Jetty.
>     b. Add a EventListener to ServletContextHandler, it will be resposible for the security
calculation and fill it into ApplicationPolicyConfigurationManager.

I think you mean "declarative security for servlets added by the addServlet methods on ServletContext"?
 Jetty will want to deal with that too, so I think putting something in the jetty code that
calls out to a security builder of some kind (we can install our own) is the best plan here.
 Then we shouldn't need more wrapping.  Maybe I don't understand exactly what you mean?  What
would the event listener do?

>     Thoughts ? 
>      To David. I found you did some code changes for Jetty now, and wonder whether you
have bugun some simliar work ?

I was thinking about doing something like this but haven't started anything.  I did look a
little bit into configuring tomcat using the info tree rather than letting tomcat read the
web.xml.  I've found a bunch of tomcat problems and spec inconsistencies.  I haven't gotten
to security configuration yet.

david jencks

>      Thanks !
> -- 
> Ivan

View raw message