> > >Consider that you are writing a portal application, with the usual self
> > >registration facilities. It is trivially simple to make the portal app
> > >itself portable across containers, if you just stick to standard servlet
> > >and JSP facilities. But the notion of "add a new user" is not portable,
> > >and requires integration with each container's own user database update
> > >mechanisms (for example, using a particular Realm in Tomcat). There is no
> > >way to write the functionality for this in a portable way.
> >
> > Maybe there should be added functionality to javax.servlet.ServletContext to
> > add and delete users.
>
> Something like this, or some portable container-level API with
> functionality similar to what Tomcat's (4.1.x) "UserDatabase" provides, is
> a long term goal of the platform. Unfortunately, it is *substantially*
> more complex than you might think to identify what a "user" is in a manner
> that is portable across all desireable use cases -- let alone how they
> should be authanticated. It's not going to be a short term effort to
> standardize this.
Maybe put in a baseline implementation (role based authentication)
with express instructions to really, really, really use container
managed security for mission critical software?
That way people interested in fast prototyping or using Struts for
personal projects could use platform independent user authentication
and people who require "real" solutions would still be able to use
the J2EE security model.
-TPP
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
