> Im in the process of re-engineering an application and I am
> focusing on
> how to implement the security. The current application uses a
> combination of security checks within the action classes and
> jsp custom
> tags based upon a user session object. After reading more about the
> form-based security provided by J2EE compliant app servers
> however, I am
> thinking that server based security is a more robust solution. Im
> curious how other developers are approaching security. If you
> are using
> application server managed security, have you run into any
> limitations,
> or has it been a better approach than a custom solution? Thanks,
Application server managed security is a very good
solution, IF your application doesn't require running
business logic as part of the login process.
If your login process requires checking this and that
from a datasource and/or do conditional processing
based on the "state" of the user, the application,
a third party or any other system, then application
server managed security is going to be a problem for
you.
The reason is that the servlet specification doesn't
require application server vendors to provide any
means to hook up a custom login process into the
application server managed security login.
It can be done, but the solutions are more like
hacks than solid programming. Furthermore any
solution you will come up with is most likely
going to be non-portable between app servers.
We've recently implemented form based security with
custom login using WebSphere (and Tomcat) and the
solution we came up with is less than optimal from
security, MVC architectural and code maintainability
point of view.
In summary: if you do NOT have a custom login process,
you're cool. If you do, make sure you have a neverending
supply of painkillers at hand. You'll need them.
-TPP
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
