Craig:
I just read the Servlet 2.2 spec on security and container-based
authentication. Thanks for pointing it out to me.
It seems to me that the new spec has added 2 things:
1. the 'boolean HttpServletRequest.isUserInRole(String role) API
2. a declarative way to specify URL Resource/HTTP GET-POST/Role restrictions
in the servlet engine XML properties.
However, to use this in a real application, we would still need a
programmatic API for adding new user/password/role data from a servlet
(hopefully using an API that is standard/portable across servlet engines).
Does this exist somewher else in the J2EE spec?
Thanks again,
Ian
----- Original Message -----
From: Craig R. McClanahan <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, November 28, 1999 5:32 PM
Subject: Re: Looking for a java.security.acl database implementation...
> Ian wrote:
>
> > Hi all:
> >
> > Does anyone know of a freely available implementation of the
> > java.security.acl interfaces that uses JDBC against access control
> > information stored in a relational database?
> >
> > I want to use these standard, open interfaces for my JSP/servlet app
> > infrastructure controlling users, groups and their resource permissions.
> > Many people must have implemented these already for their servlet
systems.
> > Have any been made publicly available?
> >
>
> I don't know of any generally useful implementation of these interfaces,
but I
> have a suggestion for some additional research for you
>
> Version 2.2 of the servlet API includes the ability to define
"declarative"
> security, based on the concepts of Principals and role names. The exact
same
> security architecture is defined in EJB 1.1, so it will likely be common
to
> delegate responsibilities for this stuff to your application server
containers
> (once these standards are implemented) versus coding support for the ACL
> interfaces directly in your applications.
>
> GIven that servers implementing these new APIs will be available fairly
soon, you
> might want to think about how much effort to invest administering security
> yourself (via the ACL APIs or other such mechanisms) versus container
managed
> security.
>
> For more information, see the specifications for servlet 2.2 and EJB 1.1,
> available at the JavaSoft web site. The "Application Programming Model"
document
> on the Java2 Enterprise Edition (J2EE) site also has some useful
discussions of
> security mechanisms using these new approaches.
>
> http://java.sun.com/j2ee
>
>
> >
> > Thanks,
> >
> > Ian
> >
>
> Craig McClanahan
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> FAQs on JSP can be found at:
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
