As long as there is a valid LoginService/Realm (depending on your version of Jetty), I believe that all you need to do is declare the login-config within web.xml to have the appropriate realm name.
Whether you use the annotation for the constraint or just standard web.xml syntax is up to you. As long as the container authenticates the user and sets the security context the userPrincipal and isUserInRole methods will work fine for you - but they do generally require you to have either had the container authenticate or you would have to call doAs to set a Subject that you created on your own. Just know that calling doAs with your own Subject is not something you will be able to do in all environments due to SecurityManager and java.policy permissions is generally not a great practice. Another thing that may be an issue is whether you will require server specific principal-to-role mappings for each environment in order for isUserInRole to work properly. I'm still a little confused about your usecase - what are planning to authenticate against if you don't want to use the server's configured realm/login service? Again, you may be well served by spring security or apache shiro. Sorry that I can't be of more help. On Sun, Feb 10, 2013 at 3:15 PM, Nils Kilden-Pedersen <[email protected]> wrote: > I'd like to be able to use the tools provided by the servlet spec, such as > getUserPrincipal, isUserInRole, etc. on HttpServletRequest and use the > HttpConstraint annotation, but without having the authentication and role > assignment being done by the server (because I'd prefer to get into as > little server specific setup as possible). > > > On Thu, Feb 7, 2013 at 9:00 PM, larry mccay <[email protected]> wrote: >> >> Depends on what you mean by application based authentication. >> >> You can always implement authentication in a servlet filter. You can use a >> security framework like spring security as a filter. >> >> You may want to provide more info of what you need to do. >> >> On Feb 7, 2013 7:19 PM, "Nils Kilden-Pedersen" <[email protected]> wrote: >>> >>> Is it possible to configure application based authentication without >>> having access to the server installation, i.e. only through the war file? >>> >>> >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>> >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users > _______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
