> -----Original Message----- > From: niksa_os [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 26, 2005 5:23 AM > Subject: Re: How do you handle security with JSF? > Do you know for anyAPI or framework that simplify JAAS? > Or you build all from start? > > From: Dave Sag [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, January 26, 2005 4:55 AM > > JAAS is non-trivial and i'd only use it where you need > single-sign in > > across several systems. unfortunatly there is no > > request.setUserPrincipal() method so if you want to handle > the login > > yourself you need to use your own managed beans
Even if you don't need single-sign in for more than one system, JAAS makes it possible to use container-managed security as it separates out your authentication and authorization code into its own module. Container-managed authorization is likely more secure than something you would write yourself. If you don't want to rely on the container, another way of implementing authorization is with filters. The benefit there is that you can integrate the login better with JSF framework. Either way, JAAS is a good way of implementing the security model. It can do a lot of other things besides just authorizing URLs. Yes, there's a little learning curve to it, but the framework itself isn't too heavy. Kalle > > On 26/01/2005, at 1:34 PM, niksa_os wrote: > > > >> How did you build JAAS? > >> JAAS is just API, not implementation right? > >> > >> Did you use any framework or tool for help? > >> > >>> For smaller projects I use a managed bean in conjunction with a > >>> servlet filter. I also have singleton UserRegistry class > that both > >>> the loginhandler and the filter can access. this works very > >>> reliably. > >>> for bigger projects where we need to integrate several > systems with > >>> single-sign in we use JAAS, but for small projects that's way > >>> overkill. > >>> cheers > >>> dave > > > > > >
