struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Madel,Kurt" <kma...@csmi.com>
Subject RE: Using CheckLogin tag from within tiles
Date Tue, 08 Oct 2002 16:49:26 GMT
What about JAAS?

Kurt Madel
Programmer, CSMi
(703) 823-4300 ext. 170


-----Original Message-----
From: Craig R. McClanahan [mailto:craigmcc@apache.org] 
Sent: Tuesday, October 08, 2002 12:30 PM
To: Struts Users Mailing List
Subject: RE: Using CheckLogin tag from within tiles



On Tue, 8 Oct 2002, David Graham wrote:

> Date: Tue, 08 Oct 2002 01:01:32 -0600
> From: David Graham <dgraham1980@hotmail.com>
> Reply-To: Struts Users Mailing List <struts-user@jakarta.apache.org>
> To: struts-user@jakarta.apache.org
> Subject: RE: Using CheckLogin tag from within tiles
>
> Craig,
> I agree with most of your points but you must admit that the non-standard
> implementations of CMA are a pain.  Not really when you work for a company
> that sells a container (Sun, BEA, IBM) because you'll always be using
> their's, but when developing for a number of containers this can be
painful.
>
> It would help if at least one standard implementation was prescribed by
the
> spec...I personally like tomcat's jdbc realm implementation.
>

There are actually two pieces to this problem.

* For authorization (i.e. looking up roles), the APIs for
  common plugins for containers were standardized in JSR-115,
  which is part of J2EE 1.4 (and is being implemented in
  Tomcat 5).

* For authentication (i.e. username/password type checks),
  no such standardization has yet taken place.

The problem with something like Tomcat's Realms is that they don't come
anywhere close to meeting all the real world requirements (which is
another reason people don't use CMA even if they don't have to worry about
cross-container issues).  It is a very complex problem space -- go get and
read the JSR-115 spec (currently in proposed final draft) if you want a
feel for this :-).

I just wanted to remind people that they really are playing with fire when
they take authentication and authorization upon themselves.

> Dave

Craig

--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message