I don't believe you can intercept code with JSPs within precompiling the JSPs.
You MAY be able to do this with JDK 5.0 and our instrumentor, or the new JDK 1.4 classloader stuff we have in HEAD. Kabir is going to take a look.
What's this new classloader stuff that you guys have in head? Mind sharing the concept a little bit?
What I'm trying to do is to prototype some security framework that can be applied to web applications in a more or less uniform way. Unfortunately, having a clean and clear-cut "interceptor" that does not mess around with the application code is not that easy. It's hard to apply design patterns and object models here.
Maybe I'm thinking in the wrong direction?
JBoss AOP works in two ways. Either you precompile your Java .class files to push in the AOP stuff, or you set JBoss AOP up so that it does the bytecode transformations at runtime when the class is loaded. Load-time transformation requires hooks into the classloader.
With JDK 1.4, we originally had to OWN the classloader. Unfortunately, JSPs in tomcat are loaded by a different classloader I think than the JBoss classloader (haven't tried it yet).
Fortunately, JDK 5.0 provides a way to hook in your own transformers via the java.lang.instrument package.
Kevin Conner recently committed something to CVS that can transform java.lang.classloader so that it can provide hooks for transformation. We should be releasing JBoss AOP 1.0 this week with directions on how to use this.
Now, on to the other part of your question....
You'll have to give me more insight on what your goals are with your security framework, then maybe I can suggest some ideas.
Hi. My penny to disscussion.
I have Struts application and been using Tomcat server. I'd like to use JBossAOP with it.
So what I've tried is: precompiled my plain servlets, jsps (in Struts meaning) with jasper/jspc. This way I got sources of my web pages for my application.
As I have sources I can apply JBossAOP aspects to them - including crosscutting every Struts action and applying your own concerns (JBossAOP has some security concern @@org.jboss.aspects.security.*)
I haven't tried to put compiled sources into Tomcat - but I think there shouldn't be a problem, as these are normal java classess.
The only problem is: this way one looses favourite way of development. On every change of JSP we must recompile, redeploy whole app. :/
Solution would be to use somehow JBoss AS with Tomcat and dynamic classloader. I wait for some JBoss + Tomcat + Struts HOWTO. If there won't be any until September, I'll write one myself :)
Thanks for the explanation.
The idea for the security framework is that, the declarative security model is static, and it's very hard to do dynamic access control management. For example, say I have a content management app, which I want to hook to an external acess manager. Let say I can define my security policies in the access manager and apply them to my content management app.
When I change my policies, I want them to apply in real-time. I don't want to have to stop my jboss server, reconfigure a bunch of deployment descriptors, re-deploy, etc. This should be so dynamic and it's transparent.
Maybe I'm in the wrong direction here, but I'm trying to prototype some interceptor that I can apply to any access request to any of my resources (in my content mgmt app). So the request will be security-checked first to see if the user has permission to that resource.
I'm diving into the source code of Tomcat and JBoss to see if there is anywhere I can place a hook in, which gives me some clean way to intercept everything.
thanks for explaining diff between static and dynamic sec model. I will need dynamic one in some application and was wondering whether to use already written JBoss' security aspects.
What about a servlet filter or a Tomcat valve? This is how we implemented JBoss Security integration with Tomcat. If you're dealing with web requests (HttpServletRequests), then a filter or valve is probably a better solution anyways...
Kabir is working on JSP side of things this week. Hopefully we'll have some kind of doco around this by the 1.0 release at the end of the week.
Any news regarding AOP of non-compiled JSP classes?
caller pointcuts will work if you use the jDK5 java.lang.instrument package as defined in the shipped documentation.
We're working on a JDK 1.4 fix still.