On Mon, 10 Jun 2002, Craig R. McClanahan wrote:
> On 10 Jun 2002, Dave Weis wrote:
> > On Mon, 2002-06-10 at 13:56, Craig R. McClanahan wrote:
> > [snip]
> > > In general, I would recommend that apps be developed using container
> > > managed security capabilities -- for example, form-based login defined in
> > > the Servlet spec (http://java.sun.com/products/servlet/download.html).
> > > Then, you can let the container worry about login management.
> > I've got a question about container managed security. Why was
> > security-constraint standardized, but not the actual authentication
> > code? It makes moving between servlet containers a pain.
> If you mean a standard way for a container to interact with the user
> database (i.e. what Tomcat does with its Realm APIs), this is a *much*
> larger technical challenge than it might appear, because needs vary quite
> widely. There is ongoing work on the "authorization" part of this problem
> in JSR-115; the "authentication" part hasn't been formally addressed in a
> JSR yet (except for JAAS, which doesn't solve all the issues yet either),
> although I expect it will be at some point.
That's the part I was talking about. Tomcat and Resin aren't too bad, but
I never have found an example of container managed security with
Websphere.
I do like container managed security, but choosing it would be even easier
if you could deploy on any servlet engine and everything worked.
dave
--
Dave Weis "I believe there are more instances of the abridgment
[EMAIL PROTECTED] of the freedom of the people by gradual and silent
encroachments of those in power than by violent
and sudden usurpations."- James Madison
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
