Frank W. Zammetti (MLists) wrote:
I'm not sure I follow your reasoning... In terms of security, you ALWAYS
want a user to be authenticated and validated before ANY application-level
code executes, and in my mind, that very much includes input validations.
Filters provide this mechanism, before Struts comes into play, which is
where it should happen.
I have a question, Frank. Why do you say that what we "ALWAYS" want
"[i]n terms of security" is "authenticat[ion] and validat[ion] before
ANY application-level code executes"? Why cannot application level
code do just as credible a job in this regard? Programmatic security is
certainly not unusual or, so far as I know, considered to be poor form,
is it? I am not saying, of course, that filters and such are not the
way to go, but I can certainly imagine circumstances in which this would
seemingly be my second choice.
In an enterprise-class application, the trend, and rightly so I think, is
to externalize security, meaning when a URL is requested, the web server
hands the user authentication piece off to some handler (like Netegrity
Siteminder as an example), so it's not the web server, app server or even
a filter that handles checking if a user is valid for each request.
Is this really a known trend? I don't doubt you. I just don't know why
you say these things, and the mere assertion is interesting but not that
helpful. You seem to be experienced in this area, and I assume that you
have good reasons for these statements. Thanks.
Michael McGrady
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
