I have spent some time looking at the security of a possible JBoss-Tomcat system and I have a few questions left. We want the server to be very safe! 1/ Do I want to use the policy file system to restrict access to files and directories? Is this the best way or is it a left-over from some previous system? I ask this because it seem to be commented out or effectively disabled in most examples. 2/ Are there any problems in using JAAS and wrapping the whole client conversation in SSL to protect the passwords. 3/ I want a single login to the whole suite of servlets and beans. Do I just use standard declarative security on the lot? Will JBoss maintain a users login state across access to several applications? 4/ If I have servlets that have no reference to any beans, should I wrap them in a jboss application war and ear files to get security or is there a better way? 5/ Should I be able to use DIGEST authentication on a servlet , just by setting that as the auth-method or is there more to it? It looks as if the server doesn't make the method clear to the client. 6/ SRP - is this a good way to go? Again, it is in the config files but always seems to be commented out and not really emphasised or expanded upon in the examples. Thanks in advance. Gerry _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
