On the face of it, the question seemed to have little to do with EJBs, but
actually the core issues of programmatic versus declarative security are the
same.
When you said "1000 different types of users", I was taken aback, all
applications I've seen have never come close to reaching this figure. I
think that having to maintain and manage access rights to 1000s of groups
would be completely unfeasible.
But to answer the original question, you should specify a servlet engine
which implements the Servlet 2.2 spec. This gives you all you will need on
the authentication side, since you can specify based on URL patterns what
security should apply (i.e. what user groups can get to pages matching this
pattern), ask the container to validate the user attempting to gain access
and it will redirect to the original resource requested if the validation
succeeds, else the user will get an error page which you can specify.
This declarative approach will give you page level security, which may be
all you want (i.e. I either get the page or I don't). If you need to
control what a particular role sees when they hit say "search_results.jsp",
then you will need to use programmatic access to get that level of
flexibility. This also applies to security once you get into the EJB tier.
The best quick overview I've seen on this is in Ed Roman's free book
(http://theserverside.com/resources/index.jsp), pp. 136 - 142.
RE: dynamic usertypes, I can't think of anything declarative in either the
EJB or JSP / Servlet spec. that will help you here. That seems to fall into
the programmatic arena totally. Again though, I'd question the reasoning to
allow user types be defined at runtime.
Humphrey
-----Original Message-----
From: Chris Humphrey [mailto:[EMAIL PROTECTED]]
Sent: 29 June 2000 17:59
To: [EMAIL PROTECTED]
Subject: user administration/validation
Hello all,
I am starting on designing/building a web application, one of the
requirements is to be able to validate each users access to each page.
In other words we may have 1000 jsp's and 1000 different types of users,
each user needs to be validated and approved to access the jsp before
getting to the jsp. The user types will be dynamic, so the customer
wants to be able to create new usertypes, and give that type of user
access to certain pages.
Here is the architecture that has been decided on so far:
Java J2EE/JSP on sun/solaris servers. We have not decided on an ejb
server yet, or a webserver, or a jsp engine, but these components will
be part of the architecture.
All comments from anyone who has ideas on solving this problem or has
already solved something like this would be very much appreciated.
Thanks in advance,
Chris
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
