before-handler and accessmanager for custom servlets?
See original GitHub issueHi there, I managed to setup JWT Authentication like this:
io.javalin.Handler decodeHandler = JavalinJWT.createHeaderDecodeHandler(provider);
app.before(decodeHandler);
MyAccessManager am = new MyAccessManager(provider, rolesMapping, Roles.ANYONE /* default role if non is present in JWT */ );
app.accessManager(am);
So I have an “before” handler as well as an access-manager.
This works for routes like this:
app.get("/showheader", ctx -> Routes.showHeader(ctx), roles(Roles.DEVELOPER));
Perfect. But how about custom servlets like this example:
I tried to setup an before-handler for the path for this servlet, but is not triggered 😦
Do I have to implement the access-protection in the servlet again? Or is it somehow possible to define an access-validation on the url-path with the given access-manager?
br, Alex
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
before-handler and accessmanager for custom servlets?
Hi there, I managed to setup JWT Authentication like this: io.javalin.Handler decodeHandler = JavalinJWT.createHeaderDecodeHandler(provider) ...
Read more >Adding a servlet
Servlet Management is only available for Pega Cloud, and allows you to add, modify, and disable servlet configurations without editing the web.
Read more >Tomcat: how to access (session) Manager from servlet
I need to access the Manager from the servlet (or filter) in Tomcat to load the custom session by custom session ID.
Read more >Configuring Mobile OAuth for SSO Servlet Authentication
In Access Manager, create a custom MobileSSOServlet authentication scheme on the OAM server and configure it with a list of mobile application IDs....
Read more >Documentation - Javalin - A lightweight Java and Kotlin ...
It contains the underlying servlet-request and servlet-response, and a bunch of getters and ... Set the access-manager that Javalin should use config.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
This is expected since you bypass all of facilities provided by Javalin and manipulated Jetty server directly. You created a new servlet on a different context path (therefore Javalin doesn’t know about it, the library simply registers it’s own servlet and then every time you do
app.get()
,app.before
it manipulates its’ internal state which still is stored and relevant in Javalin Servlet only).For now most probably you’ll have to call your functionality in two places. You could also take a look into Servlet Filters which surround Servlets (allow to perform pre and post processing of http requests around servlet functionality). For Javalin, which doesn’t use Filters, it’s worth investigating how they could help making the library more flexible and reusable.
@tuxedo0801 could you provide information on why you are forced to register
other
servlet this way (bypassing Javalin)? What are you trying to implement/achieve by that servlet? Maybe we could find an alternative solution for that.I barely want Javalin to be responsible for its own security. The
AccessManager
is intended to be used per endpoint, and users have to write the implementation themselves. Javalin doesn’t know about the endpoints on your other servlets, so it’s not really a good match. You could attach a filter before both Javalin and the other servlet? For me it doesn’t make sense that Javalin should be responsible for the security of an unrelated servlet.