I'm looking at Jetty v5.0alpha and it's not clear to me where the best place is to hook in authorization. While authentication seems pretty pluggable, via the UserRealm interface. It seems the only way to plug in authorization is to replace the SecurityHandler, which seems to be a little draconian.
You may need a little background. JACC requires that authorization decisions go through a JACC policy provider and it's pretty specific about how this is done. I was hoping to drop in a Geronimo web authorization module that takes a principal, data constraint, method, path, and deployment id, and perform this JACC authorization check. It seems that a way to drop in a replacement for the static method SecurityConstraint.check() would be handy. It's not clear to me how I would get the deployment id from there. Thoughts? Regards, Alan
