francis pouatcha wrote:
> > If I have a piece of HTML that looks like this:
> >
> > <FORM ACTION="http://my.server.com/LoginServlet">
> > <INPUT TYPE=TEXT NAME="username">
> > <INPUT TYPE=TEXT NAME="password">
> > </FORM>
> >
> > ...then how does my webserver know that authentication should take
> > place? I fail to see how this is possible.
>
> What I said above walks for HTTP basic authentication and Certificate based
> authentication (SSL). Your example deals with form based authentication. In this
> case there is a hole in the Servlet spec. "The LoginServlet needs some way of
> communicating these security attributes to the web server environment". I hope Sun
> people are monitoring the list.
AHA.
Good; I'm not stupid. :-)
So it *IS* the case that in the most common case experienced on the web
today--i.e. where you don't rely on basic authentication but you build
it yourself using a servlet that you write, as in logging in to Yahoo or
something like that--the current servlet/EJB specifications have an
enormous gaping hole.
This tells me that for the short- to medium-term I should just accept
the fact that authentication is broken and that the EJB server might not
know what principal is calling it, and so I should basically code my
first-generation beans extraordinarily defensively so that they don't
rely on the so-called security features of EJB, which aren't there yet.
Thank you.
Cheers,
Laird
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
