-1

Use case : HTTP context, I need to restrict access to urls given a certain session attribute state

Extending the is* methods of AccessControlFilter in a custom filter works, but it looks sorta ugly : I have no Realm.

AFAIK Realms are used for things like LDAP, JDBC, INI backends. Whenever my "realm" is in fact web-bound, i.e the HttpSession itself is the realm.

  1. Is my custom filter the proper way to secure, given that I have the information I need in the HttpSession
  2. If not, how would you bind a Realm to web based context ? Like HttpSession or even HttpServletRequest
Laurent Perez
  • 548
  • 5
  • 15

1 Answers1

0

You should use a Realm to bind you User [Subject], even if you are just passing in some object from your filter (i.e. a info pulled from the session or http header)

The Realm is the object that will Authenticate and Authorize. Generally speaking there are two types of filters: Filters that build tokens that get passed to a realm (e.g. Form auth, Basic auth, etc) and filters that require some sort of authorization (which assert one or more roles and/or permission)

Brian Demers
  • 2,051
  • 1
  • 9
  • 12