As for my specific requirements:
I have a simple intranet application. There is a public (no auth)
section, and a secure section for logged-in users. My main requirement
is simple. I want to force the users to authenticate (log in) before
they access the restricted portion of the application. View paths to
this portion are predictable (i.e. /public/* vs /system/*). Desired
authorization scheme will be rather simple (e.g. admins, users,
unauthenticated). I may want control-level access controls later, but I
feel that a good approach to page-level authorization is the most
important goal here.
It almost sounds like container-managed security would be sufficient for
my needs. However, the documentation from my container (JBoss) seems
overly detailed and complex - I couldn't even tell when they were
talking about JAAS rather than container-managed security. Is this
overkill for me, or am I seeing more complexity than there has to be?
I'm just not sure yet...
Thanks guys for your time, thoughts, and opinions...
Regards,
Jeff Bischoff
Kenneth L Kurz & Associates, Inc.
Jeff Bischoff wrote:
Greetings Colleagues,
I have often wondered what the majority of you are using for
authentication and authorization in your non-public websites. Over the
last year on this mailing list, I have seen bits and scraps of
discussion on this topic. Most often, I hear mention of solutions like
container-managed security and phase listeners. Sometimes custom
navigation-handlers or servlet filters get mentioned too. Cant' say I've
quite seen evidence of any consensus on which of these is preferred, so
I'm interested to hear your thoughts.
I have come across this article [1] which offers an approach (and some
source code) to authorization in JSF. What are your opinions on this
approach? Would you consider this and similar approaches to be best
practice? What other alternatives can you recommend (from experience)?
I will post my specific requirements for my security search as a reply
to this post, so as not to narrow the overall discussion.
[1] http://java.sys-con.com/read/250254_1.htm
Regards,
Jeff Bischoff
Kenneth L Kurz & Associates, Inc.
