[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[jetty-dev] JAAS Authorization in Jetty
|
Hi All,
I am not sure if this mailing list is the right place to post my question but no one in jetty-user answer.
Basically I want to run servlets on behalf of authenticated users such that the authenticated user can access only authorized resources (such as file, socket, etc.).
I know this is possible using JAAS. However it doesn't seem that classes shipped with Jetty (e.g. handlers and ServletHolder) deals with this situation.
I wonder if I am missing something. Or is it true that I will have to write my own ServletHolder which will call servet.service(...) using Subject.doAS()?
Also, HttpServletResponse.getWriter() method call leads to calling System.getProperties() in StdErrLog class which requires both "read" and "write" permission on PropertyPermissions for all properties (which, I think, is not desirable). Therefore, if servlet code has "response.getWriter()", it will get AccessControlException unless I grant the required permission which is unsafe. Should I also write my own ServletResponse wrapper class which will call methods inside AccessController.doPrivileged() ?
Please let me know if there is any information needed to make my question clear.
I really appreciate your help in advance.
-sangmin
