The Jetty authentication architecture uses the following 4 interfaces:
org.eclipse.jetty.server.UserIdentity
org.eclipse.jetty.security.LoginService
org.eclipse.jetty.security.IdentityService
java.security.Principal
Could somebody explain how these 4 interfaces interact to eachother in the authentication flow.
Browsing through the code seems not very helpful because there are so many corner cases. I am just interesting in the main flow.
This question is hard to answer as its very open ended / vague.
I'll try the simple answer first.
First, the basics, what's provided by the JVM:
java.security.Principal
- this is the Servlet spec object that holds the person / company / group (login name). javax.security.auth.Subject
- this holds related information about the Principal (see link to javadoc for list of things it can reveal) Now the Jetty specifics:
org.eclipse.jetty.server.UserIdentity
- this represents the identification for the user. aka the Principal
and Subject
for the user (if principal is null, then the user is not authenticated). This also includes some methods to help with isUserInRole(String)
style logic. org.eclipse.jetty.security.IdentityService
- this associates the UserIdentity
with the scope / thread that is belongs to. (this is an advanced concept that some security implementations need to hook into to handle security properly. Jetty only ships with a default behavior that merely creates and performs no such association for UserIdentity
. As its not needed for the security implementations that Jetty ships with). org.eclipse.jetty.security.LoginService
- this is the API for security implementations to use to create/validate/destroy runtime UserIdentity
objects from a login()
and logout()
style events. Finally, how it ties together:
org.eclipse.jetty.security.Authenticator
is responsible for the HTTP portion of the authentication piece, such as responding with 401 Unauthorized
and 403 Forbidden
. It uses the LoginService
to do its thing. LoginService
uses the IdentityService
to associate the UserIdentity
to the thread processing the request. Principal
directly, via HttpServletRequest.getUserPrincipal()
. Subject
is not available via the standard Servlet API. UserIdentity
is partially exposed via the HttpServletRequest.isUserInRole(String role)
method. LoginService
is not accessible via the Servlet API directly, but you can use the HttpServletRequest.login(String user, String pass)
and HttpServletRequest.logout()
respectively to access these essential features. <security-constraint>
sections in the WEB-INF/web.xml
javax.annotation.security
annotations:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.