Pete, You sound like you are on the same path I am. The last application used a custom model that was written in-house, based on jsp tags and struts action servlets. With the current project, we are using TC to provide the security (via LDAP to a Novell NDS tree). So far, the only surprise is that form-based authentication is a real stinker for development. When a class gets reloaded, the login information goes south, and you have to login again to refresh your page. Grrr. If you change to BASIC authentication, this is not a problem, but you have to be sure that if you are running over an untrusted network you are always going over SSL because the userid/password is sent as clear text with every request. One of the reasons we went with TC-based security instead of the "roll-your-own" variety was because now we can more easily harvest the web logs (that are automatically generated) for usage information using webtrends or other tools. Based on the logs (which contain the userid), we have a good idea of who uses what, when they use it, how often, what time of day, what day of the week or month, etc... We can then look at what users really use and focus our efforts instead of guessing based upon who complains the loudest. ;-) Larry
>>> [EMAIL PROTECTED] 04/29/02 02:12PM >>> curious how other developers are approaching security. If you are using application server managed security, have you run into any limitations, or has it been a better approach than a custom solution? Thanks,
