On 09-11-2010 at 12:17, Samuel Santos wrote: > I do agree that we should at least add the support for Java Authentication > and Authorization Service (JAAS) to Stripes core.
Maybe I'm being silly here, but why? I mean, every servlet container and
application server supports JAAS (the authentication part at least). I
already can add authentication using web.xml, and the only tricky part here
is that often my server needs to use my DB queries (which JBoss already had
an excellent solution for years ago, IMHO).
And honestly, I've not yet encountered a situation where JAAS authorization
was used. I know that JAAS authorization can be used for user authorization,
but specifying the permissions for users and objects in a dynamic way using
JAAS is just too complicated. There are many frameworks offering an easier
solution for this.
There are only two reasons why I'd implement authentication using a filter:
1. When I want the HttpServletRequest.getUserPrincipal() to return a (proxy
to a) domain object, or
2. When I want to use the JAAS LoginModule to it's full extend (i.e. create a
login wizard using multiple calls to CallbackHandler.handle(Callback[]),
like com.sun.security.auth.callback.TextCallbackHandler implicitly does).
Please don't get me wrong: I think it is good to raise the security issue. It
simply is that important. Maybe what I'm missing is consensus on what
security means. I've seen it used as any combination of the following:
- authentication (a user is who he says he is)
- authorization (a user is allowed to do X, Y and Z, byt not F)
- accountability (on this date & time, user X did Y)
- extra confirmations (authenticating individual transactions, displaying
extra information, etc. to combat cross-site scripting and other hacks)
- data satefy (the C&D from ACID, and backups; a stretch, but ok)
- SLA & uptime guarantees (this one surprised me)
Oscar
--
,-_ Oscar Westra van Holthe - Kind http://www.xs4all.nl/~kindop/
/() )
(__ ( Progress is made by lazy men looking for easier ways to do things.
=/ () -- Robert Heinlein
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
