my problem with using JAAS on smaller projects is that I like to be
able to develop more than on project ata time within the same tomcat
and uing JAAS forces you to add a bunch of code to tomcat's lib. also
for smaller clients it's much easier (read cheaper) to deploy an app
managed security. yes agree if you have a single tomcat per client
(as most deployments will often end up) then use JAAS but from the JSF
layer page layer it will look the same. you'll still want a managed
bean that provides a map of roles andgives you access to the logged in
user object.
cheers
dave
On 26/01/2005, at 5:53 PM, Korhonen, Kalle wrote:
-----Original Message-----
From: niksa_os [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 26, 2005 5:23 AM
Subject: Re: How do you handle security with JSF?
Do you know for anyAPI or framework that simplify JAAS?
Or you build all from start?
From: Dave Sag [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 26, 2005 4:55 AM
JAAS is non-trivial and i'd only use it where you need
single-sign in
across several systems. unfortunatly there is no
request.setUserPrincipal() method so if you want to handle
the login
yourself you need to use your own managed beans
Even if you don't need single-sign in for more than one system, JAAS
makes it possible to use container-managed security as it separates out
your authentication and authorization code into its own module.
Container-managed authorization is likely more secure than something
you
would write yourself. If you don't want to rely on the container,
another way of implementing authorization is with filters. The benefit
there is that you can integrate the login better with JSF framework.
Either way, JAAS is a good way of implementing the security model. It
can do a lot of other things besides just authorizing URLs. Yes,
there's
a little learning curve to it, but the framework itself isn't too
heavy.
Kalle
On 26/01/2005, at 1:34 PM, niksa_os wrote:
How did you build JAAS?
JAAS is just API, not implementation right?
Did you use any framework or tool for help?
For smaller projects I use a managed bean in conjunction with a
servlet filter. I also have singleton UserRegistry class
that both
the loginhandler and the filter can access. this works very
reliably.
for bigger projects where we need to integrate several
systems with
single-sign in we use JAAS, but for small projects that's way
overkill.
cheers
dave
