On 10 Jun 2002, Dave Weis wrote:
> Date: 10 Jun 2002 14:00:44 -0500
> From: Dave Weis <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <[EMAIL PROTECTED]>
> Subject: Re: User Authentication
>
> On Mon, 2002-06-10 at 13:56, Craig R. McClanahan wrote:
>
> [snip]
>
> > In general, I would recommend that apps be developed using container
> > managed security capabilities -- for example, form-based login defined in
> > the Servlet spec (http://java.sun.com/products/servlet/download.html).
> > Then, you can let the container worry about login management.
>
> I've got a question about container managed security. Why was
> security-constraint standardized, but not the actual authentication
> code? It makes moving between servlet containers a pain.
>
Which authentication code? The only code your application needs to care
about is the form login page (if you're using form-based login); all of
the grunt work of *doing* the authentication is inside the container.
If you mean a standard way for a container to interact with the user
database (i.e. what Tomcat does with its Realm APIs), this is a *much*
larger technical challenge than it might appear, because needs vary quite
widely. There is ongoing work on the "authorization" part of this problem
in JSR-115; the "authentication" part hasn't been formally addressed in a
JSR yet (except for JAAS, which doesn't solve all the issues yet either),
although I expect it will be at some point.
> dave
>
Craig McClanahan
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
