tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Assaf Arkin <>
Subject Re: Security in tomcat
Date Fri, 11 Feb 2000 20:20:47 GMT
> Should we define a security API ( sort of common API for all
> authentication services ) ? Probably, but not as part of tomcat, it's
> much to big.

JAAS attempts to do that, and will eventually get there (the API is not
mature enough).

Servlets can use some security provider that can pre-authenticate you at
the point of PPP, IPSEC, Firewall, whatever and carry that
authentication into the Servlet. It then has to pull out the proper
credentials for you (i.e. roles).

So, essentially all the Servlet container needs is a way to plug into a
security provider, a very simple API.


> > Also, if you have a 2.2 container that supports this, you no longer have to
> > worry about it at the application level at all ...
> You should worry about security at all levels! :-)
> Costin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Assaf Arkin                                 
CTO, Exoffice Technologies, Inc.              

View raw message