Thanks for covering for me Dave! > -----Original Message----- > From: David Blevins [mailto:[EMAIL PROTECTED] > > Greg, > > Jumping in for Alan to get you some quick answers. I'm sure Alan will > chime in later. > > On Sun, Nov 23, 2003 at 02:06:51AM +0000, Greg Wilkins wrote: > > Will JACC require the servlets (etc.) to be run as part > > of a Subject.doAs(...), or is it just sufficient to associate > > an AccessControlContext with a thread? > > Associating the AccessControlContext with the thread is compliant, and > *much* faster than a Subject.doAs. As Alan explained to me, Subject.doAs > involves combinding all the protection domains in scope into one -- about > a 100,000 nanoseconds.
Dave is correct, I associate an AccessControlContext with the thread rather than perform a Subject.doAs. I initially got caught up with all that subject domain combiner stuff and ended up going w/ an AccessControlContext which gets generated at login; see my LoginModuleWrapper. > > If the former (and probably in the later), I think we may want to > > consider putting much of JACC into a container supplied Filter, as > > it has the right calling semantics. Also a filter will be more portable > > between containers and is in line with some ideas floated on JSR154 > > regarding pluggable authentication in the next rev of the servlet spec. > > A filter will work beatifly for checking WebResourcePermission and > WebUserDataPermission. The WebRoleRefPermission is checked as the result > of a isCallerInRole callback, so a little more magic will be required > there. A filter for authorization sounds interesting. Would this be something like the SecurityHandler that's in Jetty? Regards, Alan
