Actually, in my experience, any "real" application with moderate complexity will have security needs beyond what current container- managed authorization schemes can provide... i.e. most apps will need to use both container and application managed security.
I'd even go one step further to say that most "real" apps I've seen use application-managed security primarily, and container- managed security "superficially" (beyond authentication.) regards, -Ade -----Original Message----- From: Tero P Paananen [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 5:24 PM To: Struts Users Mailing List Subject: RE: container managed security ... > Something like this, or some portable container-level API with > functionality similar to what Tomcat's (4.1.x) "UserDatabase" provides, is > a long term goal of the platform. Unfortunately, it is *substantially* > more complex than you might think to identify what a "user" is in a manner > that is portable across all desireable use cases -- let alone how they > should be authanticated. It's not going to be a short term effort to > standardize this. Maybe put in a baseline implementation (role based authentication) with express instructions to really, really, really use container managed security for mission critical software? That way people interested in fast prototyping or using Struts for personal projects could use platform independent user authentication and people who require "real" solutions would still be able to use the J2EE security model. -TPP -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
