unsubscribe
-----Original Message-----
From: Dave Wolf [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 01, 2001 5:41 AM
To: [EMAIL PROTECTED]
Subject: Re: Is LoginServlet bad practice?
> Umm, maybe because J2EE security services SUCK? :-)
>
> Somebody didn't really think out the specification very well.
> Form-based login is a step up from boring old http authentication, but
> it doesn't go nearly far enough. You can't:
>
> 1) Provide a login page. Every membership-oriented site on the internet
> provides a login form on their front page (e.g. www.aol.com,
> www.hotmail.com). Form-based login only lets you authenticate when you
> transition to a protected page.
But if you map /* as a protected resouce then when they try to access the
site at all it forces a login. Or any such mappings so say /secure etc.
You can force when and if a transition occurs just as you would force or
move such users to your login form. You simply have to be smart about how
you set and map URL mappings as secured.
>
> 2) Allow the user to try again on the "bad password" page. The user
> must hit "back" on their browser (or click on another link that takes
> them to the protected page).
Make the error page the login page then. Or, have the error page do a
redirect back to the login page passing a particular error message.
>
> The form-based login might work ok for an e-commerce app, where
> authentication is only required on the transition to the checkout page,
> but the web is a lot more than just that. This deficiency in the j2ee
> spec is the only reason I have any server-dependent code in my app at
> all.
I dont see how any of the above objections affect the J2EE based security
infrastructure.
Dave Wolf
Internet Applications Division
Sybase
>
> Jeff
>
> >-----Original Message-----
> >From: Dave Wolf [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, January 31, 2001 9:28 AM
> >To: [EMAIL PROTECTED]
> >Subject: Re: Is LoginServlet bad practice?
> >
> >
> >But why write a line of code when J2EE security services
> >provide this all to
> >you.
> >
> >Dave Wolf
> >Internet Applications Division
> >Sybase
> >
> >----- Original Message -----
> >From: "Rahman, Zahid" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Wednesday, January 31, 2001 12:03 PM
> >Subject: Re: Is LoginServlet bad practice?
> >
> >
> >> Not my opinion,
> >>
> >> With regard to internal staff changing the servlet ?
> >>
> >> For instance what you are going to do if the staff take you physical
> >machine
> >> then what you going to do ?
> >>
> >> Interesting point though. Not much you can do when the
> >servlet methods are
> >> specified and common to all servlets Not much you can do ?
> >>
> >> The key point here is internal staff changing code ?
> >>
> >> Regards
> >> Zahid
> >> > -----Original Message-----
> >> > From: Bono, Chris [SMTP:[EMAIL PROTECTED]]
> >> > Sent: Wednesday, January 31, 2001 3:30 PM
> >> > To: [EMAIL PROTECTED]
> >> > Subject: Re: Is LoginServlet bad practice?
> >> >
> >> > Why not use J2EE security?
> >> >
> >> > -----Original Message-----
> >> > From: Carlos Otero Barros [mailto:[EMAIL PROTECTED]]
> >> > Sent: Wednesday, January 31, 2001 8:31 AM
> >> > To: [EMAIL PROTECTED]
> >> > Subject: Is LoginServlet bad practice?
> >> >
> >> >
> >> > Hi All!
> >> >
> >> > Recently I have been envolved in a discussion about the
> >convenience of
> >> > encapsulating login process in a separate servlet. Namely
> >LoginServlet.
> >> > My opinion is this is a bad practice from a security point of view.
> >> > Internal personel could substitute the LoginServlet with any other
> >> > simple servlet with the same methods() and take the whole web site
> >> > unsecured.
> >> >
> >> > Your opinion?
> >> >
> >> > Thanks
> >> >
> >> >
> >===============================================================
> >===========
> >> > =
> >> > To unsubscribe, send email to [EMAIL PROTECTED] and
> >include in the
> >> > body
> >> > of the message "signoff EJB-INTEREST". For general help,
> >send email to
> >> > [EMAIL PROTECTED] and include in the body of the
> >message "help".
> >> >
> >> >
> >===============================================================
> >===========
> >> > =
> >> > To unsubscribe, send email to [EMAIL PROTECTED] and
> >include in the
> >> > body
> >> > of the message "signoff EJB-INTEREST". For general help,
> >send email to
> >> > [EMAIL PROTECTED] and include in the body of the
> >message "help".
> >>
> >>
> >===============================================================
> >============
> >> To unsubscribe, send email to [EMAIL PROTECTED] and
> >include in the
> >body
> >> of the message "signoff EJB-INTEREST". For general help,
> >send email to
> >> [EMAIL PROTECTED] and include in the body of the message "help".
> >>
> >>
> >
> >===============================================================
> >============
> >To unsubscribe, send email to [EMAIL PROTECTED] and
> >include in the body
> >of the message "signoff EJB-INTEREST". For general help, send email to
> >[EMAIL PROTECTED] and include in the body of the message "help".
> >
> >
>
>
===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
