Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] application authentication

As long as there is a valid LoginService/Realm (depending on your
version of Jetty), I believe that all you need to do is declare the
login-config within web.xml to have the appropriate realm name.

Whether you use the annotation for the constraint or just standard
web.xml syntax is up to you.

As long as the container authenticates the user and sets the security
context the userPrincipal and isUserInRole methods will work fine for
you - but they do generally require you to have either had the
container authenticate or you would have to call doAs to set a Subject
that you created on your own. Just know that calling doAs with your
own Subject is not something you will be able to do in all
environments due to SecurityManager and java.policy permissions is
generally not a great practice.

Another thing that may be an issue is whether you will require server
specific principal-to-role mappings for each environment in order for
isUserInRole to work properly.

I'm still a little confused about your usecase - what are planning to
authenticate against if you don't want to use the server's configured
realm/login service?

Again, you may be well served by spring security or apache shiro.

Sorry that I can't be of more help.

On Sun, Feb 10, 2013 at 3:15 PM, Nils Kilden-Pedersen <nilskp@xxxxxxxxx> wrote:
> I'd like to be able to use the tools provided by the servlet spec, such as
> getUserPrincipal, isUserInRole, etc. on HttpServletRequest and use the
> HttpConstraint annotation, but without having the authentication and role
> assignment being done by the server (because I'd prefer to get into as
> little server specific setup as possible).
> On Thu, Feb 7, 2013 at 9:00 PM, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>> Depends on what you mean by application based authentication.
>> You can always implement authentication in a servlet filter. You can use a
>> security framework like spring security as a filter.
>> You may want to provide more info of what you need to do.
>> On Feb 7, 2013 7:19 PM, "Nils Kilden-Pedersen" <nilskp@xxxxxxxxx> wrote:
>>> Is it possible to configure application based authentication without
>>> having access to the server installation, i.e. only through the war file?
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx

Back to the top