JAAS and Tomcat: how to plug into request processing?

[Mick Krippendorf <mk...@infomatec.de>]

Hi,

we use JAAS in our webapplication and it works. The implementation
however is not satisfying.

Before accessing sensitive data from within JSPs, we check wether the
user has sufficient permissions. Therefore, we divided (i.e.duplicated)
the interface into protected abstract and final public operations, and
let the public ones call the protected (guarded) ones, after
establishing a privileged context. 


Simplified Example:

//public operation:
public final void guardedFoo() {
  //establish privileged context:
  Subject.doAs(
    aSubject,
    new PrivilegedAction () {
      run() {
        //protected abstract operation:
        realFoo();
      }
    }
  );
}
//s.a.
public void final guardedBar() {
  Subject.doAs(
    aSubject,
    new PrivilegedAction () {
      run() {
        realBar();
      }
    }
  );
}

//later, two _equal_ privileged contexts are created!
obj.guardedFoo();
obj.guardedBar();

This is annoying and also inefficient, because the same privileged
context has to be installed for every single operation (i.e. several
times in the same JSP). Another problem is that the subject should not
be known to the objects which need to check for permission. This could
be avoided if there was some kind of 'central entry point' or
'cartridge' where a one-for-all privileged context could be installed.

So, the question is:
Is there a possibility to hook into the calling stack prior to the
response generation, so that our tags become executed within a
privileged context?

We came up with two approaches to solve that problem, but none of them
worked:
- We tried to override _jspService(...) in the JSP (and calling
super._jspService(...)), but found it declared as final :(
- We looked at ServletWrapper and Interceptors but we could not figure
out how to implement/install them correctly, mainly because of a lack of
documentation.


Any help is appreciated,

Mick.