On Wed, Sep 16, 2009 at 1:49 AM, Viktor Klang <viktor.kl...@gmail.com>wrote:
> > > On Wed, Sep 16, 2009 at 2:38 AM, Charles F. Munat <c...@munat.com> wrote: > >> >> David Pollak wrote: >> > The existing page/URL level security has nothing to do with Mapper. >> > There's nothing that can be done with Mapper that can't be done with >> > JPA (with the exception of Mapper's field-level access control which, to >> > my knowledge, is not being used anywhere.) >> >> I meant that the login feature when you use the basic archetype is set >> up to work with Mapper, not that login is part of Mapper. It could be >> adapted to work with JPA easily, but there is no JPA archetype so far >> that includes that login functionality (that I'm aware of). You have to >> roll your own. >> >> > I radically disagree. Having a separate concern doing "security" is a >> > disaster because there'll always be some place where one system believes >> > one thing and the other system believes something else. >> >> A disaster? Always? Really? > > Anything that's not strongly typed, IMHO (I guess I'm channelling Greg Meredith) is a disaster waiting to happen. For systems written by a small team of people who all currently have the rule set in their head, the disaster is generally averted. For systems that have multiple layers of testing and a dedicated QA staff (both very high cost) the disaster is generally averted. Lift is not always strongly typed. Lift doesn't insert all the correct JavaScript in a page that it's rendering (e.g., references to jQuery). This accounts for some measurable traffic on this list. Lift's binding mechanism is not strongly typed (although there's immediate feedback on smoke tests) and that leads to some problems. Lift's "by convention" snippet/comet location mechanism is not strongly typed and that leads to a lot of traffic on this list and no doubt to a lot of problems by developers that don't bubble up to the list. But security is special. Security is something that has to be done better than by convention or by group knowledge or by testing (you should test for security as well). Security is something that should be obvious in the most basic code review and your program should not compile if the security assumptions about a resource in one area are not the same as the security assumptions about the same resource in another area. > Even allowing for hyperbole, if these >> systems are so bad, why are so many people using them -- apparently with >> great success? Without some evidence to back this claim up, I'm dubious. >> > > Chas, there's alot of really shitty software used by millions of people, > I could name these product to you, but I'm unwilling to bash multinational, > billion-dollar companies where they have no possibility to retort. > The morale of the story is that just because everyone else is doing it > doesn't mean that it's good or even above retarded. > > >> >> That said, it certainly would be nice to have these capabilities in >> Lift. But I don't have the time either. SS looks pretty drop in. >> >> There may also be situations where using a particular solution (such as >> SS) is a requirement and make-or-break on whether Lift can be used, so I >> don't see the ability to make Lift work with such software as a negative. >> >> I have a lot more to say on this, but have to run. Maybe later. >> >> Chas. >> >> >> > > > -- > Viktor Klang > > Blog: klangism.blogspot.com > Twttr: viktorklang > > Lift Committer - liftweb.com > AKKA Committer - akkasource.org > Cassidy - github.com/viktorklang/Cassidy.git > SoftPub founder: http://groups.google.com/group/softpub > > > > > -- Lift, the simply functional web framework http://liftweb.net Beginning Scala http://www.apress.com/book/view/1430219890 Follow me: http://twitter.com/dpp Git some: http://github.com/dpp --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to liftweb@googlegroups.com To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/liftweb?hl=en -~----------~----~----~----~------~----~------~--~---
