I'm looking at Jetty v5.0alpha and it's not clear to me where the best
place is to hook in authorization. While authentication seems pretty
pluggable, via the UserRealm interface.
Yes, specializing the UserRealm and Jetty's UserPrincipal are the way to go. Take a look at the JettyPlus stuff in $JETTY_HOME/extra/plus/src/org/mortbay/jaas package for some examples.
It seems the only way to plug in authorization is to replace the SecurityHandler, which seems to be a little draconian.
You may need a little background. JACC requires that authorization decisions go through a JACC policy provider and it's pretty specific about how this is done. I was hoping to drop in a Geronimo web authorization module that takes a principal, data constraint, method, path, and deployment id, and perform this JACC authorization check. It seems that a way to drop in a replacement for the static method SecurityConstraint.check() would be handy. It's not clear to me how I would get the deployment id from there.
I haven't looked at the JACC stuff (yet) so these are just initial comments until I catch up on my reading ....
You don't necessarily have to replace a particular Jetty Handler. Handlers are arranged in a chain, so to introduce new behaviour it is possible to just insert another Handler in the chain. Not sure if this will be possible here or not.
Also, there is an access point into the web app context that is called as a thread enters and leaves a web app which might be another place to look at if you need to set up any thread local stuff (we've already subclassed the standard Jetty web app as o.a.g.w.jetty.JettyWebApplicationContext).
Finally, however it is done, we need to keep in mind that we must also be able to plug-in other web containers.
Thoughts?
Let me have a read of the JACC spec so I have a better understanding what is required and I can comment better.
cheers, Jan
