struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: container managed security
Date Fri, 12 Jul 2002 21:17:33 GMT

On Fri, 12 Jul 2002, Jürgen Weber wrote:

> Date: Fri, 12 Jul 2002 17:13:28 +0200
> From: Jürgen Weber <>
> Reply-To: Struts Users Mailing List <>
> To:
> Subject: Re: container managed security
> On Tue, 09 Jul 2002, Craig R. McClanahan wrote:
> >The example app rolls its own for one and only one reason -- one of the
> >purposes of this webapp is to detect whether you have Struts installed and
> >working on your container correctly.  The less configuration tinkering you
> >have to do for a "hello, world" application to work, the better.
> Couldn't that better be checked in javax.servlet.Servlet.init(ServletConfig
> config)
> possibly even with load-on-startup ?

My point was we wanted an example webapp that you could simply drop into
your container, with no configuration required, and make sure it worked.
If we also made you set up users and roles (i.e. because the example app
itself used container managed security) then we have just made this

> >In general, I believe that apps should use container managed security
> >rather than rolling their own.
> So your statement should be in the FAQs.

It's in ~100 or so mailing list messages (here and on tomcat-user,
jsp-interest, servlet-interest ... :-)

> Unfortunately most examples I saw (Learning Jakarta Struts from
>, the O'Reilly
> Struts book)
> seem to copy this idea and all use now Struts managed login pages.
> >Consider that you are writing a portal application, with the usual self
> >registration facilities.  It is trivially simple to make the portal app
> >itself portable across containers, if you just stick to standard servlet
> >and JSP facilities.  But the notion of "add a new user" is not portable,
> >and requires integration with each container's own user database update
> >mechanisms (for example, using a particular Realm in Tomcat).  There is no
> >way to write the functionality for this in a portable way.
> Yes, this is definitely a problem. We once ended copying LDAP logic that
> already was in the realm into the application.
> Maybe there should be added functionality to javax.servlet.ServletContext to
> add and delete users.

Something like this, or some portable container-level API with
functionality similar to what Tomcat's (4.1.x) "UserDatabase" provides, is
a long term goal of the platform.  Unfortunately, it is *substantially*
more complex than you might think to identify what a "user" is in a manner
that is portable across all desireable use cases -- let alone how they
should be authanticated.  It's not going to be a short term effort to
standardize this.

> Juergen


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message