As far as I understand it, the servlet container answers / implements this
method, and it is done relative to underlying (generally container-specific)
mechanisms managed by the container. I agree it would nice to have a
standard authentication & authorization interface (say, oh, like maybe, like
in JAAS 1.0 :-)... in addition, it wiuld be nice to have a "standard" way
for the container to determine which group a principal is in... maybe by
subclassing a supplied abstract class and / or implementing a specified
interface related to Permsission (from the security API)...
Right now, mapping user authentication information into "groups" that the
container can understand seems to be based entirely up to the container.
What happens when we want to migrate to certificate-based authentication or
some other means of authentication? I am not sure how easily one will be
able to "hook" into the container-based authentication. In any case, it
will be container-specific and that limits portablilty. This is an issue
for me because we acutally use more than one container, makeing it
exceedingly difficult to devleop a common (enterprise) framework that will
interoperate... I need to resort to implementing a callback (via JSP) to a
JAAS loginModule that in turn uses ORB technology to enable authentication
across multiple "application suppliers"... it works, but less eloquently
than I would like.
Sorry for the long message. It was supposed to be a quick response. This
is an area near-and-dear to my heart. :-)
Daniel Kaschner
Systems Architect
eBenx
605 North Hwy. 169
Suite LL
Minneapolis, MN 55441-6465
(763) 614-2211
[EMAIL PROTECTED]
-----Original Message-----
From: Naveed Khan [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 17, 2000 11:04 PM
To: [EMAIL PROTECTED]
Subject: Security and JSDK 2.2
Hi,
I m trying to secure different areas of a web site based on their security
roles and considering security features of JSDK 2.2. There are few
properties in deployment descriptors that can be used to define access of a
user based on its role. Thats fine but it looks like there is no standard
way of authenticating a user .. I think it would be nice to have a standard
interface that i can implement to authenticate a user ( using database for
exampple ) and then set the role of the user. What i want to say is that it
is not clear from the API that how isUserInRole() returns the proper value
??
I have seen resin implementation.They have their own authenticar class taht
i can implement to do the stuff. Does anybody know how this is implemented
in tomcat ??
Any light on this matter would really be appreicated ..
thanks ..
naveed
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
