> -----Original Message----- > From: Jan Bartel [mailto:[EMAIL PROTECTED] > > Just had a quick scan of the spec before I go off to my day job. Is it a > fair summary to say the scope of the issue is this:
When you speak of the scope of the issue, do you mean the scope of the spec? I ask this because points 1 and 2 are already done. > 1. conversion of web.xml declarations into jacc permissions > and registration of same with external (in this case Geronimo) > Policy provider > > 2. registration by servlet container of various Policy context handlers, > esp. a HttpServletRequest Policy handler > > 3. servlet container enforced checking of jacc permissions at various > points > > 4. movement of the servlet container's existing security checking on > URL patterns etc into an external Policy provider implementation Items 3 and 4 are intertwined, no? I'm not sure why your broke them into two parts. > Seems like the jacc spec crosses over with the servlet spec in regards > URL pattern matching and security constraint specifications. This may be > an issue. You seem to be correct in that JACC outlines how the security constraint checks are to be performed, using Permissions. The semantics should be the same. > Also seems like this is a pretty deep, fundamental shift in > the structure of the servlet container to support this stuff. I don't think that this is a fundamental shift in the structure of the Jetty servlet container to support this stuff. I think that all we need to do to support the JACC authorization is to make the SecurityConstraint.check() method pluggable. The rest works w/ Jetty as is. If I have time, I'll toss something up on Jira for you to look at. > This will need some thought. I'll forward this to Greg to get his > feedback on it. Thanks. Regards, Alan
