Luke Taylor wrote:
> Oleg Nitz wrote:
>> Luke Taylor wrote:
>> > OK, things are becoming a bit clearer (I think) - I was a bit confused
>> > by the idea of a totally stateless server and the client apparently
>> > re-authenticating on each request. So when Marc said "JBoss doesn't
>> > remember squat" was he really saying "JBoss doesn't remember squat....
>> > but it gets its pal JAAS to remember for it " :-)?
>>
>> Don't you see the difference between a list of users that logged in
>> and the cache that can be purged at any moment?
>>
> Not quite sure what you mean here ... but I probably need to read some
> more on JAAS etc. I would have thought any state information
> representing client credentials would have to be purged periodically,
> either based on the valididty period of those credentials or as the
> server sees fit - forcing the client to re-authenticate ...
This model may be stateless.
Stateful one is: when user logs in, server registers him and puts to
some list. When user logs out, server removes him from the list.
User cannot access server beans if he is not in the list.
This is what I mean by stateful security model.
Actually, you can use short-lived credentials either with the user
list (and have stateful model) or without (and have stateless model).
With stateless model the server can purge the security information at
any moment, say if the size of the security cache becomes too big.
This yields better scalability.
>> Have you tried beer-drinking? It's not boring at all :-)
>>
> All too often, I'm afraid (this is Scotland after all, despite the
> Swiss email address). The loss of brain cells has doubtlessly
> contributed to my slow-witted approach to tehnical problems these days,
> and frequent dumb mistakes.
I have the same hobby :-)
Oleg
