inline
> -----Original Message-----
> From: Jeff Schnitzer [mailto:[EMAIL PROTECTED]]
> Sent: Miércoles, 31 de Enero de 2001 20:18
> To: [EMAIL PROTECTED]
> Subject: Re: Is LoginServlet bad practice?
>
>
> Umm, maybe because J2EE security services SUCK? :-)
>
> Somebody didn't really think out the specification very well.
> Form-based login is a step up from boring old http authentication, but
> it doesn't go nearly far enough. You can't:
>
> 1) Provide a login page. Every membership-oriented site on
> the internet
> provides a login form on their front page (e.g. www.aol.com,
> www.hotmail.com). Form-based login only lets you
> authenticate when you
> transition to a protected page.
>
false... I am login in users in both a restrictive/free way (I'm using
Orion)
> 2) Allow the user to try again on the "bad password" page. The user
> must hit "back" on their browser (or click on another link that takes
> them to the protected page).
false again
>
> The form-based login might work ok for an e-commerce app, where
> authentication is only required on the transition to the
> checkout page,
> but the web is a lot more than just that. This deficiency in the j2ee
> spec is the only reason I have any server-dependent code in my app at
> all.
>
> Jeff
>
> >-----Original Message-----
> >From: Dave Wolf [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, January 31, 2001 9:28 AM
> >To: [EMAIL PROTECTED]
> >Subject: Re: Is LoginServlet bad practice?
> >
> >
> >But why write a line of code when J2EE security services
> >provide this all to
> >you.
> >
> >Dave Wolf
> >Internet Applications Division
> >Sybase
> >
> >----- Original Message -----
> >From: "Rahman, Zahid" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Wednesday, January 31, 2001 12:03 PM
> >Subject: Re: Is LoginServlet bad practice?
> >
> >
> >> Not my opinion,
> >>
> >> With regard to internal staff changing the servlet ?
> >>
> >> For instance what you are going to do if the staff take
> you physical
> >machine
> >> then what you going to do ?
> >>
> >> Interesting point though. Not much you can do when the
> >servlet methods are
> >> specified and common to all servlets Not much you can do ?
> >>
> >> The key point here is internal staff changing code ?
> >>
> >> Regards
> >> Zahid
> >> > -----Original Message-----
> >> > From: Bono, Chris [SMTP:[EMAIL PROTECTED]]
> >> > Sent: Wednesday, January 31, 2001 3:30 PM
> >> > To: [EMAIL PROTECTED]
> >> > Subject: Re: Is LoginServlet bad practice?
> >> >
> >> > Why not use J2EE security?
> >> >
> >> > -----Original Message-----
> >> > From: Carlos Otero Barros [mailto:[EMAIL PROTECTED]]
> >> > Sent: Wednesday, January 31, 2001 8:31 AM
> >> > To: [EMAIL PROTECTED]
> >> > Subject: Is LoginServlet bad practice?
> >> >
> >> >
> >> > Hi All!
> >> >
> >> > Recently I have been envolved in a discussion about the
> >convenience of
> >> > encapsulating login process in a separate servlet. Namely
> >LoginServlet.
> >> > My opinion is this is a bad practice from a security
> point of view.
> >> > Internal personel could substitute the LoginServlet with
> any other
> >> > simple servlet with the same methods() and take the
> whole web site
> >> > unsecured.
> >> >
> >> > Your opinion?
> >> >
> >> > Thanks
> >> >
> >> >
> >===============================================================
> >===========
> >> > =
> >> > To unsubscribe, send email to [EMAIL PROTECTED] and
> >include in the
> >> > body
> >> > of the message "signoff EJB-INTEREST". For general help,
> >send email to
> >> > [EMAIL PROTECTED] and include in the body of the
> >message "help".
> >> >
> >> >
> >===============================================================
> >===========
> >> > =
> >> > To unsubscribe, send email to [EMAIL PROTECTED] and
> >include in the
> >> > body
> >> > of the message "signoff EJB-INTEREST". For general help,
> >send email to
> >> > [EMAIL PROTECTED] and include in the body of the
> >message "help".
> >>
> >>
> >===============================================================
> >============
> >> To unsubscribe, send email to [EMAIL PROTECTED] and
> >include in the
> >body
> >> of the message "signoff EJB-INTEREST". For general help,
> >send email to
> >> [EMAIL PROTECTED] and include in the body of the
> message "help".
> >>
> >>
> >
> >===============================================================
> >============
> >To unsubscribe, send email to [EMAIL PROTECTED] and
> >include in the body
> >of the message "signoff EJB-INTEREST". For general help,
> send email to
> >[EMAIL PROTECTED] and include in the body of the message "help".
> >
> >
>
> ==============================================================
> =============
> To unsubscribe, send email to [EMAIL PROTECTED] and
> include in the body
> of the message "signoff EJB-INTEREST". For general help,
> send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
