On Thu, Apr 28, 2011 at 9:10 AM, Kristian Rink [via Jersey] <
ml-node+6313134-1819770105-158506_at_n2.nabble.com> wrote:
> However, the only documentation I so far found is
> about either defining roles and users in web.xml or setting up a
> container-sided JAAS (Jdbc, ...) realm for fetching user information.
> Both, however, is not what I want / need / can make use of as, in our
> environment, user/role information are to be provided by a legacy
> backend which just can be reached through a bunch of obscure glue code.
>
The "proper" way to do it is to set up a JACC provider. It is a woefully
underdocumented pain in the neck, but that's the facility that the Java EE
stack provides to bind a @RolesAllowed check to a java.security.Policy,
which can serve as the front end to your obscure glue code.
A ServletFilter will not work in this case, if I understand your
requirements correctly, because a ServletFilter of any kind cannot
programmatically assign roles to a user, which is what you need.
Start the whole JACC mess with implementing a java.security.Policy. You'll
want to override the implies() method. Once you've got that, then start
reading about JACC.
Best,
Laird
--
View this message in context: http://jersey.576304.n2.nabble.com/user-roles-provider-for-AAA-tp6313134p6313183.html
Sent from the Jersey mailing list archive at Nabble.com.