| -----Original Message-----
| From: Will Hartung [mailto:[EMAIL PROTECTED]]
| Sent: Thursday, August 22, 2002 6:14 PM
| To: Tomcat Users List
| Subject: Re: Realm Security Implementation Question [OT]
|
| From: "Jacob Hookom" <[EMAIL PROTECTED]>
| Sent: Thursday, August 22, 2002 11:19 AM
|
|
| > Sorry, I only glanced at the first Pstmt.
| >
| > The roles for our application(s) are complex enough that I'm almost
| > thinking of storing a Document (XML) for the user when they login,
so
| > role validation actually is an XPath statement by which the Realm
| > queries the Principal's DOM for 1 or more nodes and returns true,
| > otherwise false. This would lead to additional flexibility for
querying
| > out all roles for a specific project, not just validating against
them.
| > Also, future applications can attach themselves to the Document
without
| > affecting current applications.
|
| Wow! That sounds complicated. Does it really need to be this
complicated?
Everything about container management seems to be URI/Filter based, but
we have issues of "okay, everyone can hit /project.do, but we authorize
based on a param".
|
| > My only concern is memory, I'm am looking at Dom4j as the
Principal's
| > Document, and from IBM's tests, it's the next best thing to XPP and
it
| > has a memory footprint that's slightly smaller than Xerces.
|
| You have the memory of the XML document and all of the classes.
|
| > Either way, String[] vs. Document, there's going to be about 50+
| > elements and with strings, I would end up duplicating information
| > (project/id, project/id/role1, project/id/role2, project/id/role3).
|
| Sure, but how many users? 10? 10000?
|
| 50 entries * 25 chars per entry = 1250 chars, or 2500 bytes (as chars
are
| 16-bits in Java). Seems pretty cheap to me.
|
| It just seems expedient is all, the replicated roles are a little
| wasteful,
| perhaps, but it's simple. It works. It's easy to debug if you have
| problems.
| Depending on your load, it certainly gets you over the hump to move on
to
| more interesting problems.
All the data role data is being pulled from SQL, but we are thinking
about proxy'ing the Principal to check XPath role requests against a
single document, so all projects and user roles are actually stored in
one big document, which would also help with read requests like "give me
all of user 54's projects"
-Jacob
|
| Regards,
|
| Will Hartung
| ([EMAIL PROTECTED])
|
|
|
|
|
| --
| To unsubscribe, e-mail: <mailto:tomcat-user-
| [EMAIL PROTECTED]>
| For additional commands, e-mail: <mailto:tomcat-user-
| [EMAIL PROTECTED]>
|
| ---
| Incoming mail is certified Virus Free.
| Checked by AVG anti-virus system (http://www.grisoft.com).
| Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002
|
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
