Hi Craig,
Now that you mention security and the new specification JSKD2.2...
"Craig R. McClanahan" escribi�:
> ...<snip>
> For security, I've taken two different approaches:
>
> * In servlet containers that do not support the 2.2 servlet API, I add a little
> scriptlet that checks the user's session for existence of a LoginBean, and
> does a <jsp:forward> to the login page if it is missing. The bean would be
> missing on a new session, if the user's old session timed out (and a new one
> was created), or after a logoff (where I invalidate the session).
>
> * Now that the 2.2 servlet spec lets you define security constraints for
> URL paths (in much the same way you can configure protection on
> sets of static content in a web server), I'm going to let the container
> worry about security -- I will never have to write a login page or check
> scriptlet again; all I need to worry about is configuring the servlet
> container on how to look up usernames and roles.
>
It might be that I haven't really understood how security is specified in JSDK2.2 but
how would you solve the case of having two diferent users(with different privileges)
accessing two different sets of data(which require different roles) using the same
servlet/JSP(which means the same URL with different request parameters)? A basic
example, several users accesing their own preferences for an application. You don't
want
one user to see the preferences of another user and you don't want to create a diferent
JSP for each user. Given the JSDK2.2 spec, the only solution I can think of, is using
"isUserInRole()" inside the JSP or the servlet to check whether the parameters match
the
authenticated user, so we are back again to mixing security and business logic. Am I
missing something?
And, if I'm not mistaken, you'll have to redeploy the security part of your application
every time you change from one container to another. And that's something you didn't
have to do before.
Comments appreaciated,
Dan
-------------------------------------------
Daniel Lopez Janariz ([EMAIL PROTECTED])
Web Services
Computer Center
Balearic Islands University
-------------------------------------------
>
>
> Craig McClanahan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
