Wrap all code paths within AccessController.doPrivileged() block
Folks,
We are migrating from an JSP based UI to JSF. In our old application we used to have a single servlet base class that would wrap all the invocations of servlet subclasses within a AccessController.doPrivileged(PrivilegedExceptionAction, AccessControlContext).
I'm looking for an suitable location withing the JSF API to wrap all code invoked via JSF within AccessController.doPrivileged(). We cannot subclass FacesServlet as its final.
Is subclassing Lifecycle, and delegating to the default lifecycle for all operations and overriding execute() to call the delegate's execute() within AccessController.doPrivileged() block, the right way of doing this?
We did try using the ViewHandler but we found out many instances where ViewHandler wasn't being invoked (for pop-ups, for example).
Would really appreciate if you can provide us pointers.
More context on why we need this below....
We needed this because we were using Java authorization mechanisms to do authorization checks within our application. The code paths invoked from the servlet subclasses would invoke AccessController.checkPermission() supplying our custom Permission subclass to it. And since we'd have setup the correct AccessControllerContext right at the beginning of the servlet invocation, the checks will work correctly.
Cheers,
Aj
