Re: [jetty-users] application authentication

[Joakim Erdfelt <joakim@xxxxxxxxxxx>]

Know that what Larry McCay pointed out is the access for that security information (the database query / read part of it).

You can still have your application handle the mangement / write aspects of this data in its own way.  (there's really no standard or spec for this)

Thus having the security be application specific, with its own users and roles.

It really depends on how complicated you want to go.

Where the user and role data comes from is completely configurable.

The server will just use whatever Realm (aka LoginService) provider you tell it to use, even your own.

Just implement your own org.eclipse.jetty.security.LoginService and provide it to the Server via .addBean().

Example of using Server.addBean() to add a LoginService using jetty xml.

http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/test-jetty-webapp/src/main/config/etc/jetty-testrealm.xml?h=jetty-8

--

Joakim Erdfelt <joakim@xxxxxxxxxxx>

webtide.com

Developer advice, services and support
from the Jetty & CometD experts

eclipse.org/jetty - cometd.org

On Sun, Feb 10, 2013 at 2:22 PM, Nils Kilden-Pedersen <nilskp@xxxxxxxxx> wrote:

On Sun, Feb 10, 2013 at 4:10 PM, larry mccay <larry.mccay@xxxxxxxxx> wrote:

I'm still a little confused about your usecase - what are planning to
authenticate against if you don't want to use the server's configured
realm/login service?

The application's own database of users. And the application's own concept of roles. I've never understood why the JEE spec felt that was a server responsibility (yet terribly under-spec'ed).

Anyway, seems like it's not possible, but thanks for taking the time.
 

Again, you may be well served by spring security or apache shiro.

Sorry that I can't be of more help.

On Sun, Feb 10, 2013 at 3:15 PM, Nils Kilden-Pedersen <nilskp@xxxxxxxxx> wrote:
> I'd like to be able to use the tools provided by the servlet spec, such as
> getUserPrincipal, isUserInRole, etc. on HttpServletRequest and use the
> HttpConstraint annotation, but without having the authentication and role
> assignment being done by the server (because I'd prefer to get into as
> little server specific setup as possible).
>
>
> On Thu, Feb 7, 2013 at 9:00 PM, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>>
>> Depends on what you mean by application based authentication.
>>
>> You can always implement authentication in a servlet filter. You can use a
>> security framework like spring security as a filter.
>>
>> You may want to provide more info of what you need to do.
>>
>> On Feb 7, 2013 7:19 PM, "Nils Kilden-Pedersen" <nilskp@xxxxxxxxx> wrote:
>>>
>>> Is it possible to configure application based authentication without
>>> having access to the server installation, i.e. only through the war file?
>>>
>>>
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>
>>
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users