On Wed, 21 Aug 2002, Max Cooper wrote:
> Date: Wed, 21 Aug 2002 23:49:12 -0700
> From: Max Cooper <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Container-managed authentication not possible
>
> Craig,
>
> True indeed, and I have info about that on the project home page.
> SecurityFilter does not work with EJBs. I am looking into making it work,
> but your application code would have to pass the Principal into the call
> programmatically (and thus would not be the same as it would be for
> container managed security). The same code should work for container or
> filter security, but it wouldn't be the same code you would write if you
> were planning to use container managed security from the outset. I am not
> really sure if this will work yet or not, but it is on my list of things to
> try.
>
> -Max
>
Max,
I'm very glad to hear that you've covered this issue in the docs already
... it is a very obvious place that people might make mistaken
assumptions. However, I can't hold out much hope that you will be able to
find a portable solution to working for EJBs in the short term.
The key problem you're facing is that you need to convince the container
to trust an application's assertions about security -- and that just isn't
going to fly in current generation containers, because it would lead to
a raft of security attacks by maliciously coded applications. (If we want
that kind of thing, we can just use .NET, thank you :-). I'm personally
adamant about Tomcat *never* trusting a user application for this kind of
thing, until there is a safe way to do so. I can't imagine that any other
app server would be any less stringent about managing something this
fundamental either.
The current reality of J2EE security APIs is that there is no portable
mechanism to support several commonly-desired features (such as setting up
new users and auto-logging-in in a portal type environment). These sorts
of problems need to be solved at the container level, so that applications
don't need to worry about them.
In my day-job role (at Sun) as the Web Layer Architect for the entire J2EE
platform, this is one of my priority concerns. Unfortunately, providing
the appropriate solution is going to take a while. In the mean time,
things like SecurityFilter serve a very valid need for non-EJB webapps,
and I'm happy to see that you've taken on the effort to provide a general
purpose solution in this problem space.
Craig
> ----- Original Message -----
> From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> >
> > I haven't had time to check your docs for myself :-), but I hope you do
> > point out one critical place where the application *does* have to care
> > about whether it is "real" container managed security or not -- EJB
> > access. From the point of view of an EJB container, requests protected by
> > any sort of mimicing security filter will appear to be coming from an
> > unauthenticated web user (which might or might not be ok, depending on
> > your security policies and application design).
> >
> > Craig
>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
