On Thu, 18 Jul 2002, Nelson, Laird wrote:
> Date: Thu, 18 Jul 2002 13:14:49 -0400
> From: "Nelson, Laird" <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: 'Struts Users Mailing List' <[EMAIL PROTECTED]>
> Subject: RE: Struts/Container-Managed Authentication Question
>
> > -----Original Message-----
> > From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> > I do not believe there will ever be such a thing as a "generic"
> > application security solution that meets a large majority of people's
> > needs. The problem is that the needs (well, at least their
> > wants :-) vary
> > too much, so any given "application security solution" is
> > going to have
> > its own design limits that people are going to run into.
>
> A nice middle ground that would not require boiling the ocean would be a
> simple interface that allows callers to add, update and remove users and
> roles.
What'a a "user" (i.e. what properties does one have)? What's a "role"?
How about "groups"? Oh, and now I need SSL certificates. And
public/private keys. And application-specific extension properties. Oh,
don't forget to link into external authentication infrastructures (like
Project Liberty, or Passport in the MS world). But I've already *got*
users defined in my database, and just want to use those. And ...
Is that global warming I'm feeling? :-)
> I find that the only thing I usually need above and beyond the
> current container-managed security API is the ability to create new users
> and roles. Every container I've worked with has the ability to make these
> calls with their own APIs--all the concepts and logical objects are the
> same--but the implementations basically suffer from name incompatibilities.
>
Answering these kinds of questions for a single server or application is
fairly easy. Answering them globally for a portable standard is quite a
bit of work.
> Cheers,
> Laird
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
