On Thu, 18 Jul 2002, Joe Celentano wrote:
> Date: Thu, 18 Jul 2002 12:02:27 -0400
> From: Joe Celentano <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <[EMAIL PROTECTED]>
> Subject: RE: Struts/Container-Managed Authentication Question
>
> Max Cooper wrote:
>
> > Another alternative is to use a filter to mimic container-managed security
> > [including wrapping the request with your implementations of
> > getRemoteUser()
> > and isUserInRole()]. This way, you could provide a programmatic
> > interface to
> > log users in with an Action, ...
>
> I have read MANY previous discussions on this list debating container vs.
> app managed security. Usually they end up suggesting that since container
> managed is limited, if you can't use it, then roll your own, similar to the
> above comment. Craig's reply also said basically the same thing.
>
Container managed security is just like any other technology -- it is
designed to meet a specific set of requirements. If your requirements
match up with those features, great ... it's easy to use it. If they
don't, then you can't.
My caution to you, though, is that rolling your own security makes it way
too easy to write insecure applications, because almost nobody who writes
apps is a security expert. Plus, it's a pretty large amount of work to
get this right. And those developer manhours are expensive. And those
hours could have been used to work on your application instead of your
infrastructure ...
Also, if your app needs (or ever will need) EJBs, you're going to have to
use container managed security anyway.
> So is anybody aware of an Apache-like project that is attempting to
> implement a "generic" application security solution for this problem? I
> mean, with filters and the ability wrap the request, as Max mentioned, a
> pretty robust solution could be developed that could be easily extended for
> different db schemas, etc. Yet I feel like we're all reinventing the wheel
> here, each of us implementing tactical rather than strategic solutions.
>
I do not believe there will ever be such a thing as a "generic"
application security solution that meets a large majority of people's
needs. The problem is that the needs (well, at least their wants :-) vary
too much, so any given "application security solution" is going to have
its own design limits that people are going to run into.
> Sorry if there's already been a discussion of these projects, but I looked
> and couldn't find any...
>
> Thanks,
> Joe
>
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
