Jon Tirsen wrote:
> In latest J2EE things look a bit better since you can specify in the
> deployment descriptor of a web-archive what pages needs to be authenticated
> and how this should be done, there are 4 choices ("basic", "digest", "form",
> "client-cert") so the flexibility is not really what one should expect.
Right. It's getting there, but even this isn't right. For example,
although I can designate a page as protected, what if what I really want
to say is "render this page THIS way if the user IS logged in, and THAT
way if the user ISN'T logged in". Is that a protected resource or not?
> The JAAS way of authentication is although really cool, featuring the PAM
> (Pluggable Authentication Modules). Which gives all flexibility one could
> ever want to have. (and more!)
> The issue wheather JAAS is gonna get integrated into J2EE or not has been on
> discussion on this or the j2ee-list. Also I've read somewhere that it is
> gonna be integrated.
I've gotten private emails that say (a) JAAS will be perfect for
user-form-based authentication, and (b) JAAS will not at all be
applicable for user-form-based authentication. From this I conclude
that JAAS is not yet understood by the user community, let alone by the
folks writing the specifications. Consequently I'm ignoring it for now
until this whole spec-to-spec communication issue is resolved (with my
luck long after my deadline...sigh...this industry...).
> <vendor>
> WebLogic 5.0 is gonna support the latest J2EE-specs.
Hot damn. That's the app server we'll be using!
> I've gotten what you're talking about to work on WebLogic 4.5. Of course
> this is WebLogic-specific.
Good; could you be kind enough to send me a quick sample code snippet?
I'd be eternally grateful.
Cheers,
Laird
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
