On Tue, 8 Oct 2002, Madel,Kurt wrote:
> Date: Tue, 8 Oct 2002 12:49:26 -0400
> From: "Madel,Kurt" <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: 'Struts Users Mailing List' <[EMAIL PROTECTED]>
> Subject: RE: Using CheckLogin tag from within tiles
>
> What about JAAS?
>
What about it? :-)
There's still at least a few issues to consider:
* Some containers support JAAS under the covers in their CMA
implementation (Tomcat has an experimental Realm that does it)
so this might already be used in your environment.
* JAAS tries to standardize a "dialog" with the user to
acquire the username and password. That doesn't fit well in
an HTTP environment, so the programming interface to it is
really ugly (look at the sources for JAASRealm and friends
to get an idea).
* JAAS still doesn't provide any standard APIs for setting up
new users, changing passwords, and all that sort of thing.
> Kurt Madel
> Programmer, CSMi
> (703) 823-4300 ext. 170
>
Craig
>
> -----Original Message-----
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, October 08, 2002 12:30 PM
> To: Struts Users Mailing List
> Subject: RE: Using CheckLogin tag from within tiles
>
>
>
> On Tue, 8 Oct 2002, David Graham wrote:
>
> > Date: Tue, 08 Oct 2002 01:01:32 -0600
> > From: David Graham <[EMAIL PROTECTED]>
> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: RE: Using CheckLogin tag from within tiles
> >
> > Craig,
> > I agree with most of your points but you must admit that the non-standard
> > implementations of CMA are a pain. Not really when you work for a company
> > that sells a container (Sun, BEA, IBM) because you'll always be using
> > their's, but when developing for a number of containers this can be
> painful.
> >
> > It would help if at least one standard implementation was prescribed by
> the
> > spec...I personally like tomcat's jdbc realm implementation.
> >
>
> There are actually two pieces to this problem.
>
> * For authorization (i.e. looking up roles), the APIs for
> common plugins for containers were standardized in JSR-115,
> which is part of J2EE 1.4 (and is being implemented in
> Tomcat 5).
>
> * For authentication (i.e. username/password type checks),
> no such standardization has yet taken place.
>
> The problem with something like Tomcat's Realms is that they don't come
> anywhere close to meeting all the real world requirements (which is
> another reason people don't use CMA even if they don't have to worry about
> cross-container issues). It is a very complex problem space -- go get and
> read the JSR-115 spec (currently in proposed final draft) if you want a
> feel for this :-).
>
> I just wanted to remind people that they really are playing with fire when
> they take authentication and authorization upon themselves.
>
> > Dave
>
> Craig
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
