On Wed, 2001-10-31 at 23:57, Jeff Anderson wrote:
> But, even if only the notion of auditing is
> present in a security framework, if it provides
> the end user a means to add auditing, it will
> have more value than the JAAS.
I'm not so sure there is a strong relationship between
authentication/authorization and auditing/action logging. An action log
just need to contain the identity of the user performing any given
action... no authentication or authorization is necessary for that.
Typically you create an audit layer for your RDBMS and then place
strategic calls in the code to fill out the audit tables... If this is a
service every p5ee application will require, then it should go in
p5ee-core. I don't think it's required for every application though.
Besides, you're probably better off implementing logging as a "bean"
(camel dropping/oyster etc.) anyway... and that means it *builds* on
p5ee-core rather than being part of p5ee-core.
> authorization audit" and "HIPAA" for LOTS more
> info. (that's the Health Insurance Portability
> and Accountability Act of 1996, btw)
You too, huh. :-)
> jeffa
--
pgp: http://www.geocities.com/matthewbk/pubkeyw.txt
PGP signature
