In that case, I would consider using something like Shiro. The servlet request calls won't work for you but you will be able to use the SecurityUtils.getSubject call to get access to the shiro subject and do all types of equivalent calls.
The EE specs are about an application programming model that is built on top of a platform with a built-in security foundation. I don't really agree with everything that was put into web.xml for security but I do feel that the security subsystem should be considered as outside of the scope of the application programming model. What you are looking for is a way to leverage the security aspects of the application programming model without using the foundational security infrastructure of the container which is built in such a way that you can trust the results of those calls. Incidentally, JSR-196 (JASPIC) provides a cross platform means to introduce authentication mechanisms for just such a use case. The problem is that you will have to get the JASPIC authentication module installed for the server environment. Once you do that it will be invoked by the container instead of application code - therefore, by trusted code - and will result in the container setting the appropriate security context based on your authModule. This is supported by all EE containers as of EE 6. There, however, is no standard way to install this module by simply bundling it with an application and deploying it. On Sun, Feb 10, 2013 at 4:22 PM, Nils Kilden-Pedersen <[email protected]> wrote: > On Sun, Feb 10, 2013 at 4:10 PM, larry mccay <[email protected]> wrote: >> >> I'm still a little confused about your usecase - what are planning to >> authenticate against if you don't want to use the server's configured >> realm/login service? > > > The application's own database of users. And the application's own concept > of roles. I've never understood why the JEE spec felt that was a server > responsibility (yet terribly under-spec'ed). > > Anyway, seems like it's not possible, but thanks for taking the time. > >> >> >> Again, you may be well served by spring security or apache shiro. >> >> Sorry that I can't be of more help. >> >> On Sun, Feb 10, 2013 at 3:15 PM, Nils Kilden-Pedersen <[email protected]> >> wrote: >> > I'd like to be able to use the tools provided by the servlet spec, such >> > as >> > getUserPrincipal, isUserInRole, etc. on HttpServletRequest and use the >> > HttpConstraint annotation, but without having the authentication and >> > role >> > assignment being done by the server (because I'd prefer to get into as >> > little server specific setup as possible). >> > >> > >> > On Thu, Feb 7, 2013 at 9:00 PM, larry mccay <[email protected]> >> > wrote: >> >> >> >> Depends on what you mean by application based authentication. >> >> >> >> You can always implement authentication in a servlet filter. You can >> >> use a >> >> security framework like spring security as a filter. >> >> >> >> You may want to provide more info of what you need to do. >> >> >> >> On Feb 7, 2013 7:19 PM, "Nils Kilden-Pedersen" <[email protected]> >> >> wrote: >> >>> >> >>> Is it possible to configure application based authentication without >> >>> having access to the server installation, i.e. only through the war >> >>> file? >> >>> >> >>> >> >>> _______________________________________________ >> >>> jetty-users mailing list >> >>> [email protected] >> >>> https://dev.eclipse.org/mailman/listinfo/jetty-users >> >>> >> >> >> >> _______________________________________________ >> >> jetty-users mailing list >> >> [email protected] >> >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> >> >> > >> > >> > _______________________________________________ >> > jetty-users mailing list >> > [email protected] >> > https://dev.eclipse.org/mailman/listinfo/jetty-users >> > >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users > _______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
