Geoff Soutter wrote:
> Craig R. McClanahan wrote:
>
> >For the 2.2 API, what you really want is a way to connect your servlet
> container
> >to this security realm. At the moment, that's going to be a per-container
> issue,
> >but remember -- this only affects deployment of the servlet container
> itself,
> >*not* the applications you run in it.
>
> Ahem. This is only correct if your servlet has a "closed" user group - i.e.
> it doesn't want to add or delete users itself.
>
In the case of a legacy security realm, the user group is not "closed". Consider
the case where you use Orion's UserDataManager interface (which is the same
concept that is being added to Tomcat) to interface with a directory server
(accessed via JNDI) that contains all of the enterprise wide usernames, passwords,
and permissions. The tools to add new users to this directory will normally
already exist -- and a new user added to the enterprise directory in the usual way
will be visible to the security portions of the container immediateily, just like
rows added to a database table by an external application are visibile to
servlet/JSP apps that read from that table.
The sweet spot for a common API for user administration (adds, deletes, changes)
is where there is no existing legacy system that you can integrate with. My
experience with web apps so far (3+ years) says that the former case (need to
integrate with a legacy security system) has happened much more often than the
latter.
>
> I can imagine the opposite is a pretty common requirement. Even the J2EE
> demo app needs to use this "container specific" functionality!
>
It's worse than that ... they modified Tomcat internals as they were building it
to add "J2EE RI"-specific hooks! This is one of the things we have to undo
somewhat, to make Tomcat a candidate for embedding in other servers.
As others have also pointed out, the J2EE RI needs to be very clear where it is
utilizing standard interfaces and where it is using features of that particular
implementaiton. Otherwise we'll see the same thing we saw with servlets -- for
example, people assuming that servlet chaining was part of the standard because
JWS had it as a product feature.
Craig McClanahan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
