A pooled Data Access Layer (ie EJB's) is pretty standard, but I'd prefer a uid & p/w that was not unique to an app. For example, using kerberos to authenticate, LDAP for course grained authorization, and a DB for finer grained authorizations. But wait, that would mean they'd have to use JAAS!
Regards, Robert
Gary Hardy wrote:
Robert,
You hit it on the head... And, prevail? not a chance, they're a client... I'm the consultant. And, JAAS? Please. We can't even agree about CMS.
The posting was 1) a rant. 2) fishing for a little parting wisdom (not mine) to leave with them to "think about".
CMS is fine just the way it is. And, a pooled DAL that uses a single, configurable uid & p/w per application seems pretty "standard" I'd say.
gary...
From: Robert Hall <[EMAIL PROTECTED]> Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]> Date: Fri, 14 Nov 2003 10:17:04 -0800 To: Tomcat Users List <[EMAIL PROTECTED]> Subject: Re: application security gone mad
Gary,
WOW, how could one possibly justify/rationalize the complicated approach you described in your original post? The "architecture" as described makes no real use of CMS. Sounds like a combination of "not invented here" and "I don't understand it so I'm not gonna use it".
You're on the right track, hope you prevail.
Is JAAS being used?
Robert
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
