[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-dev] JAAS Authorization in Jetty
|
Its possible that you may run into issues where things should be
wrapped with the AccessController to support this JAAS configuration
your using. If you find such places please open an issue in bugzilla
(bugs.eclipse.org) and we can get them addressed, patches make things
go faster :)
cheers,
jesse
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Fri, Nov 4, 2011 at 11:07, Sangmin Lee <orfeo61@xxxxxxxxx> wrote:
> Hi All,
> I am not sure if this mailing list is the right place to post my question
> but no one in jetty-user answer.
> Basically I want to run servlets on behalf of authenticated users such that
> the authenticated user can access only authorized resources (such as file,
> socket, etc.).
> I know this is possible using JAAS. However it doesn't seem that classes
> shipped with Jetty (e.g. handlers and ServletHolder) deals with this
> situation.
> I wonder if I am missing something. Or is it true that I will have to write
> my own ServletHolder which will call servet.service(...) using
> Subject.doAS()?
> Also, HttpServletResponse.getWriter() method call leads to calling
> System.getProperties() in StdErrLog class which requires both "read" and
> "write" permission on PropertyPermissions for all properties (which, I
> think, is not desirable). Therefore, if servlet code has
> "response.getWriter()", it will get AccessControlException unless I grant
> the required permission which is unsafe. Should I also write my own
> ServletResponse wrapper class which will call methods inside
> AccessController.doPrivileged() ?
> Please let me know if there is any information needed to make my question
> clear.
> I really appreciate your help in advance.
> -sangmin
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>
>
