Re: [jetty-users] application authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] application authentication

From: larry mccay <larry.mccay@xxxxxxxxx>
Date: Sun, 10 Feb 2013 16:54:14 -0500
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

In that case, I would consider using something like Shiro.
The servlet request calls won't work for you but you will be able to
use the SecurityUtils.getSubject call to get access to the shiro
subject and do all types of equivalent calls.

The EE specs are about an application programming model that is built
on top of a platform with a built-in security foundation. I don't
really agree with everything that was put into web.xml for security
but I do feel that the security subsystem should be considered as
outside of the scope of the application programming model.

What you are looking for is a way to leverage the security aspects of
the application programming model without using the foundational
security infrastructure of the container which is built in such a way
that you can trust the results of those calls.

Incidentally, JSR-196 (JASPIC) provides a cross platform means to
introduce authentication mechanisms for just such a use case. The
problem is that you will have to get the JASPIC authentication module
installed for the server environment. Once you do that it will be
invoked by the container instead of application code - therefore, by
trusted code - and will result in the container setting the
appropriate security context based on your authModule. This is
supported by all EE containers as of EE 6.

There, however, is no standard way to install this module by simply
bundling it with an application and deploying it.

On Sun, Feb 10, 2013 at 4:22 PM, Nils Kilden-Pedersen <nilskp@xxxxxxxxx> wrote:
> On Sun, Feb 10, 2013 at 4:10 PM, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>>
>> I'm still a little confused about your usecase - what are planning to
>> authenticate against if you don't want to use the server's configured
>> realm/login service?
>
>
> The application's own database of users. And the application's own concept
> of roles. I've never understood why the JEE spec felt that was a server
> responsibility (yet terribly under-spec'ed).
>
> Anyway, seems like it's not possible, but thanks for taking the time.
>
>>
>>
>> Again, you may be well served by spring security or apache shiro.
>>
>> Sorry that I can't be of more help.
>>
>> On Sun, Feb 10, 2013 at 3:15 PM, Nils Kilden-Pedersen <nilskp@xxxxxxxxx>
>> wrote:
>> > I'd like to be able to use the tools provided by the servlet spec, such
>> > as
>> > getUserPrincipal, isUserInRole, etc. on HttpServletRequest and use the
>> > HttpConstraint annotation, but without having the authentication and
>> > role
>> > assignment being done by the server (because I'd prefer to get into as
>> > little server specific setup as possible).
>> >
>> >
>> > On Thu, Feb 7, 2013 at 9:00 PM, larry mccay <larry.mccay@xxxxxxxxx>
>> > wrote:
>> >>
>> >> Depends on what you mean by application based authentication.
>> >>
>> >> You can always implement authentication in a servlet filter. You can
>> >> use a
>> >> security framework like spring security as a filter.
>> >>
>> >> You may want to provide more info of what you need to do.
>> >>
>> >> On Feb 7, 2013 7:19 PM, "Nils Kilden-Pedersen" <nilskp@xxxxxxxxx>
>> >> wrote:
>> >>>
>> >>> Is it possible to configure application based authentication without
>> >>> having access to the server installation, i.e. only through the war
>> >>> file?
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> jetty-users mailing list
>> >>> jetty-users@xxxxxxxxxxx
>> >>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>> >>>
>> >>
>> >> _______________________________________________
>> >> jetty-users mailing list
>> >> jetty-users@xxxxxxxxxxx
>> >> https://dev.eclipse.org/mailman/listinfo/jetty-users
>> >>
>> >
>> >
>> > _______________________________________________
>> > jetty-users mailing list
>> > jetty-users@xxxxxxxxxxx
>> > https://dev.eclipse.org/mailman/listinfo/jetty-users
>> >
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>

Follow-Ups:
- Re: [jetty-users] application authentication
  - From: Arjan Tijms
- Re: [jetty-users] application authentication
  - From: Nils Kilden-Pedersen

References:
- [jetty-users] application authentication
  - From: Nils Kilden-Pedersen
- Re: [jetty-users] application authentication
  - From: larry mccay
- Re: [jetty-users] application authentication
  - From: Nils Kilden-Pedersen
- Re: [jetty-users] application authentication
  - From: larry mccay
- Re: [jetty-users] application authentication
  - From: Nils Kilden-Pedersen

Prev by Date: Re: [jetty-users] application authentication
Next by Date: Re: [jetty-users] application authentication
Previous by thread: Re: [jetty-users] application authentication
Next by thread: Re: [jetty-users] application authentication
Index(es):
- Date
- Thread

Breadcrumbs