I think that one of the issues is that the form-based login is too black and white.
My current EJB application makes decisions about what the user can and can't do based
on their available Roles. We currently implement our own LoginServlet to pass default
security credentials to the EJB server until such a time as the user feels led to
provide their own. We can't do this with automatic form-based login, since it is an
'all or nothing' approach.
So, we allow the user to begin a session, even if they are not yet authenticated.
Perhaps the bold statement would be more appropriately voiced 'Servlet API
form-based-login sucks', and would not be so extreme. The security facilities of EJB
are just fabulous, IMHO.
Thanks for listening,
David.
> >>Umm, maybe because J2EE security services SUCK? :-)
>
> That is a bold statement considering security is one of the key features of J2EE.
> I am curious to hear others opinions on this issue.
>
David Bullock
LISAsoft Project Lead
Sun Certified Programmer for the Java 2 Platform
email: [EMAIL PROTECTED]
mobile: +61 4 0290 1228
"The key ingredients of success are a crystal-clear goal,
a realistic attack plan to achieve that goal,
and consistent, daily action to reach that goal."
Steve Maguire, "Debugging the Development Process".
LISAsoft
http://www.lisasoft.com/
Adelaide Sydney
-------------------- ------------------------
38 Greenhill Rd Level 3, 228 Pitt Street
Wayville S.A. 5034 Sydney NSW 2000
Australia Australia
PH +61 8 8272 1555 PH +61 2 9283 0877
FAX +61 8 8271 1199 FAX +61 2 9283 0866
-------------------- ------------------------
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
