[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[jetty-dev] Associating security info and threads
|
David,
Digging further into the security arch, I've got another problematic
scenario.
>From the javadoc on the IdentityService.associate(UserIdentity, Scope) method,
it looks like it is intended for security info to be associated with the current
thread. However, in working on the jetty-jboss integration, it's become apparent
that this method is not being called early enough in the handling process
for it to be able to be used. In particular, for a call to jboss to establish
if a user is in a particular role, the calling thread must already be
adorned with the current user's auth status. However, we only call
associate() AFTER the SecurityHandler is exited and the SevletHandler is
entered, which is too late.
It seems as if it would be appropriate to be able to adorn the thread with
the authentication info AND the auth info as separate steps. I've talked
it over briefly with Greg, and he suggests that perhaps we need a
structure like the following. The indentation indicates the sequence
of handling of a request:
<authenticate>
associate (UserIdentity)
<check constraints>
scope (UserIdentity, Scope)
<do filters>
setRunAs (Token)
<do servlet>
unSetRunAs (Token)
descope (UserIdentity, Scope)
disassociate (UserIdentity)
Thoughts?
Jan
--
Jan Bartel, Webtide LLC | janb@xxxxxxxxxxx | http://www.webtide.com