Uli Mayring wrote:
>
> On Fri, 13 Jul 2001, Berin Loritsch wrote:
>
> > Ah, I see. This is the non-portable realm thing.
> > Every servlet vendor integrates their realms differently.
> > Also, I need my users to authenticate against my database,
> > and have that solution portable accross systems.
>
> What do you mean by portable? Different ServletServers, but they're all
> running the same version of Cocoon? Or different environments altogether?
I don't have the API docs in front of me, so I don't want to say
anything
out of turn--but here are some facts with the BASIC Security in the
Servlet
Spec:
* Every vendor has a different way of mapping user names to roles.
* Not every vendor uses a database.
* For most vendor's servlet engines you do not have enough control
to use your own database.
When a user logs into my site, they will see some form of
authentication.
I prefer to use Form Based Authentication. Right now, all that is
required
is username and password. Eventually this will be replaced by a more
sophisticated PKI approach. In the absence of Certificates, I would
have
to replicate information between the Servlet Container's security
information
and my own database. Even with Certificates, I need to replicate the
role
information so that the servlet container can return whether the user is
in a specific role or not.
The type of application suites my company creates needs to maintain user
information in our own database due to the number of ways they can
connect
to the data. We have both standalone programs and web based programs.
To further complicate things, we cannot always require a particular type
of software be installed. We have to work within our customer's
configuration
management. That means if they don't like Tomcat but they like iPlanet
w/servlets,
then we have to support that configuration. Our authentication methods
cannot be broken because we can no longer use Tomcat's Database Realm.
This requires us to implement our own login mechanisms--adding to the
complexity
of our software.
S/MIME Cryptographic Signature
