Daniel Lopez wrote:
> I understand, I'm not saying it cannot be done with isUserInRole(). But in my
>architecture I don't
> need to use isUserInRole() inside my business logic because the "security framework"
>already
> performed the appropriate security checks. So my perform() method just does that:
>perform the
> operation. I'm just trying to say that I find it much better when all the checks are
>performed in
> the security framework and the business logic just performs business logic. IMHO,
>the security
> framework of the JSDK2.2 is not able to do that because it forces you to specify the
>security policy
> (role/permissions requiered to perform an operation) STATICALLY.
>
I understand your point (about not wanting to use isUserInRole() in your business
logic), even if I
don't agree with you :-). Now, the question becomes, *how* would you propose to
specify and implement
a security policy, in a general specification, that does what you suggest? It's all
well and good to
say that something should be standardized, but it's much more useful to consider some
example
approaches and see if they are generally applicable or not.
> [snip]
> Just my 2c,
> Dan
>
> PD: On a side note, this is not an attack of any kind to the guys that produced the
>specification
> ;). On the contrary, they have been quite open minded and interested in feedbak. But
>they told me
> they haven't got much feedback from this issue, which I find quite interesting, so
>that's why I'm
> trying to generate some. I think it's better to discuss things in advance and do it
>almost right
> from the beginning, than getting a final specification and start complaining because
>it could have
> done better.
I agree here ... let's continue to explore what might be possible by working through a
couple of same
approaches to your proposed scenario:
* Same business logic is executed by multiple users.
* Different users get to do different "things" based
on their assigned roles within that business logic.
* Security framework identifies and enforces this
"from the outside" -- i.e. no conditional calls within
the business logic to determine roles.
At the moment, I'm not seeing clearly how you would do these things in a general way.
Craig
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
