Menu
▾
▴
[Resteasy-developers] Security
|
From: Mike C. (mchack) <mc...@ci...> - 2008-10-24 16:03:04
|
I would think so. Currently what I do in my security filter is to
authenticate the user and then provide use custom servlet response
wrapper that overrdes isUserInRole(). This way works well with Resteasy
security.
I also created a thread local security context that allows me to access
additional information in my business logic. Could probably have also
extended ServletRequestWrapper to provide this additional information.
If there is a way for the user to provide a security interceptor to the
framework that would allow some of the same functionality bo be invoked
by the framework on behalf of the application then it could work.
Maybe you create ServletRequestWrapper that overrides is isUserInRole
and then just delegates to application provided security module.
What do you think?
Mike Chack
O: +1 408.526.4639
M: +1 408.504.6594
mc...@ci...
-----Original Message-----
From: Bill Burke [mailto:bb...@re...]
Sent: Friday, October 24, 2008 8:34 AM
To: Mike Chack (mchack)
Cc: res...@li...
Subject: Re: [Resteasy-developers] new multipart support
Speaking of security...
Anything Resteasy could do to make it easier?
Bill Burke wrote:
> The badness is that it screws up Resteasy.
>
> Like for instance www-urlencoded-form, if any filter does
> httpRequest.getParameter("someFormParam") it will screw up Resteasy as
> Resteasy expects to read form data within the InputStream.
>
> I fixed this in trunk, but a few people ran into this problem.
>
> Mike Chack (mchack) wrote:
>> I'll give it some thought. I alsways like to think that simple is
better
>> but it is hard to know when to draw the line relative to content
types.
>>
>> BTW., I had a slightly different problem that I was trying to solve.
I
>> am using a custom servlet filter to implement a security front end.
As
>> part of this I need the a sessionid as an input parameter. Usually
>> passed as a query string parameter. My client was a GWT application
that
>> was using a form widget to upload a file. The widget was not able to
>> submit mulipart form and still present query string parameters. So, I
>> had to access multipart form in the servlet filter. Not a great thing
I
>> found out as the input stream can't be reset.
>>
>> By product of this is that I used O'Reilly servlet package here to
>> access multipart as it has a Servlet Request Wrapper that parses the
>> multipart data and stores files if any in a temp dir, later
accessible
>> by the upstream servlet.
>>
>> Just another twist on the general problem. Any thoughts on this or
the
>> goodness/badness of having to access form data in a filter?
>>
>> Thanks
>>
>> Mike Chack
>> O: +1 408.526.4639
>> M: +1 408.504.6594
>> mc...@ci...
>>
>>
>> -----Original Message-----
>> From: Bill Burke [mailto:bb...@re...]
>> Sent: Thursday, October 23, 2008 2:02 PM
>> To: Mike Chack (mchack)
>> Cc: res...@li...
>> Subject: Re: [Resteasy-developers] new multipart support
>>
>> i.e. Content-Encoding: gzip
>>
>> or something like that...
>>
>> Bill Burke wrote:
>>> I may have some more work to do with it. I only support a simple
>>> encoding format. I'm not sure if more complex encoding formats are
>>> popular when using multipart.
>>>
>>> Thoughts?
>>>
>>> Mike Chack (mchack) wrote:
>>>> Thanks. That should be really helpful. A day too late. Spent a
bunch
>> of
>>>> time yesterday hacking a solution!!!!! I'll definitely refactor my
>>>> solution.
>>>>
>>>> Mike Chack
>>>> O: +1 408.526.4639
>>>> M: +1 408.504.6594
>>>> mc...@ci...
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Bill Burke [mailto:bb...@re...]
>>>> Sent: Thursday, October 23, 2008 1:45 PM
>>>> To: res...@li...
>>>> Subject: [Resteasy-developers] new multipart support
>>>>
>>>> I've spent this week doing some new multipart support:
>>>>
>>>>
>>
http://bill.burkecentral.com/2008/10/23/jax-rs-multipart-support-with-re
>>>> steasy/
>>>>
>>>> It is written up more extensively in the docbook module.
>>>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
|
