Warner Onstine wrote:
> So, I just wanted to get some feedback from you guys on what kind of
> security system makes sense. Is the above one too complex, not enough?
Seems very reasonable.
> I
> also wanted to find out what kind of authentication you all have done
> and which one works best:
> Web-based
> Digest
> (I know there are others, I just can't think of them right now)
Most web users prefer FORM-based authentication - its just more pleasant
from the UI-perspective, and that can (should) be SSL'd to make it truly
secure. Definitely don't use BASIC (unless you SSL).
> What about JAAS?
I wholeheartedly recommend going the full J2EE security route and using
JAAS. We're using it in my day job project now and it was trivial to
implement and is working like a charm. Every container will have its
own pains in this regard, but its much better than rolling your own
complete mechanism. Using isUserInRole(..) calls in the web tier if you
need to do programatic security works, but I'd recommend staying as
declarative as possible. You can configure spaces of URL's for
different roles in web.xml, and we use that and declarative method-level
security on session bean API's as well.
Maybe Turbine has some declarative nature to it as well with security?
Struts 1.1 does - you can declare an action mapping to be only for a set
of roles, and there are some handy taglibs to hide pieces of pages
unless you are in the specified roles.
We've done a fair bit of homework on the security side of things
recently, and have chosen the full-on J2EE route including JAAS.
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
