On Mon, 26 Aug 2002, Michael Lee wrote:
> Date: Mon, 26 Aug 2002 14:29:44 -0400
> From: Michael Lee <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <[EMAIL PROTECTED]>
> Subject: Re: j_security_check, jaas and weblogic 6.1
>
> Thank you! You are the ONLY place I've heard this! Now everything seems to
> make more sense.
>
> I was just going to use j_security_check hooked into Weblogic RDBMS and put
> the user in the session for authentication from there on in (JNDI security
> to EJB). So this looks like the right path?
>
If BEA did things correctly, you shouldn't have to do anything special
about saving the user in the session for EJB authentication -- the same
user identity should be carried over automatically.
> No offense, but is this right? BEA recommends you use JAAS all over the
> place. I'm mainly going to use ACL in the deployment descriptors for my web
> app and ejbs. I also noticed that almost all JAAS implementations were at
> the java client layer. Few were servlets, etc. This would make sense with
> what your saying because no container would exist at a pure java client
> layer (such as with the JAAS RMI example that comes with weblogic).
>
JAAS is what I'd use if I was writing the back end of WebLogic's servlet
container. But web applications that run inside the container should not
have to know anything about it. As you note, client apps don't have that
kind of container support, so a "roll your own" solution based on JAAS
makes more sense there.
> BTW, EXCELLENT job with struts Craig and team. I have 2 systems IN
> PRODUCTION! using struts. They wrote one at the job I'm at and I recommended
> struts to replace it. We are now going full steam ahead with struts!
> thanks,
> Mike Lee
>
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
