On Tue, 8 Jul 2003 08:07:18 +0530, souravm wrote: > >Hi All, > >I'm building a web application using MVC (and hence using Struts). > >Now for security (Authentication and Authorization) of the application >I'm planning to use JAAS. > >In the process of understanding JAAS I found that the default >implementation of the authorization component expects the authorization >policy has to be specified in a file. > >Now in this context my query is how safe is to use this file based >authorization policy mapping. From my view point anyone can change this >policy file to compromise with the security. Instead isn't it a better >approach to put the authorization policy related rules in a database ?
Using a file is as secure as your OS's file security. The real problem with file based security is that it is inflexible, and doesn't scale at all well. I suspect file security is the default because it is simple to explain and doesn't need any extra software. The best place to store authorisation information (imho) is in an LDAP. This gives you a securable scalable place to store the info, in a standard way, that can be read and updated by a wide range of tools. I suspect most (all?) app servers will do LDAP based security pretty trivially. - Korny -- Kornelis Sietsma http://www.sietsma.com/korny [EMAIL PROTECTED] goofey: korny yahoo: kornysietsma icq: 2039172 ph: 0421 079 693 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
