>Without trying to get into a flame war about it (I'm not interested ... the
>following is just my personal preference), that's basically the
philosophical
>difference between a "trust model" and a "sandbox model" of security.
I, too, am not interested in flame wars...
>A sandbox model is more paternalistic (is there a gender-neutral version of
>this term? :-): "I'm going to protect you from yourself by not even
allowing
>certain potentially dangerous activities." At the level of a generic API,
my
>personal preference is for this attitude to be present; hence, I liked the
>changes to deprecate HttpSessionContext and getServlet.
I appreciate the point you are making. I think "hardcoded" sandboxes are a
bit of overkill usually however. They don't recognise the complexity of the
real world. For example the original Applet java sandbox was useful, but too
restrictive for some - people wanted to be able to customise it's behaviour,
and now they can... it's almost a philiosiphical issue, like can you achieve
anything in this world without a certain implicit level of trust? :-)
>In the particular case of this desire (accessing all the sessions in your
app),
>a creative design can work around the deprecation of HttpSessionContext for
>your own particular app. I know this, because I had to do so to meet the
>functional requirements for a particular application (restricting
simultaneous
>logins on the same username, and allowing a sysadmin to forcibly terminate
a
>particular session). But I'm not going to explain how -- I'll take
>responsibility for loading the gun and pointing it at myself (100% of the
code
>in this app came from my own fingertips), but not anyone else.
:-)
Geoff
:-)
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
