Aside from the realm-management issues, a nice feature in Struts 1.1 is that it makes it easier to fine-tune security on an action-by-action basis. Each ActionMapping can have its own list of roles, and if the user is not in these roles, they are bounced just like the container would have bounced them.
The processRoles extension method in the RequestProcessor also makes it easier to integrate an application-based scheme with Struts without straying too far from the conventional API. You can provide your own RequestProcessor that overrides processRoles with your own authentification scheme that either augments or replaces the standard API calls. -- Ted Husted, Husted dot Com, Fairport NY US -- Java Web Development with Struts -- Tel: +1 585 737-3463 -- Web: http://husted.com/about/services Ade Barkah wrote: > > Actually, in my experience, any "real" application with moderate > complexity will have security needs beyond what current container- > managed authorization schemes can provide... i.e. most apps will > need to use both container and application managed security. > > I'd even go one step further to say that most "real" apps I've > seen use application-managed security primarily, and container- > managed security "superficially" (beyond authentication.) > > regards, > -Ade > > -----Original Message----- > From: Tero P Paananen [mailto:[EMAIL PROTECTED]] > Sent: Friday, July 12, 2002 5:24 PM > To: Struts Users Mailing List > Subject: RE: container managed security > > ... > > Something like this, or some portable container-level API with > > functionality similar to what Tomcat's (4.1.x) "UserDatabase" provides, is > > a long term goal of the platform. Unfortunately, it is *substantially* > > more complex than you might think to identify what a "user" is in a manner > > that is portable across all desireable use cases -- let alone how they > > should be authanticated. It's not going to be a short term effort to > > standardize this. > > Maybe put in a baseline implementation (role based authentication) > with express instructions to really, really, really use container > managed security for mission critical software? > > That way people interested in fast prototyping or using Struts for > personal projects could use platform independent user authentication > and people who require "real" solutions would still be able to use > the J2EE security model. > > -TPP > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
