Joe -
Your comment
My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login.
struck a chord with me - it's one of the reasons I've never looked at implementing CMS. How do you handle this? Roll your own?
Yes; it's not too hard to come up with a simple user model, although obviously more sophisticated apps can be a headache to build from scratch.
If you have some mechanism to get a user into the session, then it's not too hard to override the "processRoles" step in the request process to provide struts-config level declarative security comparable to what happens by default using container-managed security. I haven't had call to try to replicate the tag-library behavior. We usually have interfaces that are different enough based on role that it's just as well to have separate templates as to try to have one with a bunch of conditionals.
There was a pretty good JDJ article about two years ago which laid out all the flaws of container based security -- besides the aforementioned "no-user-initiated login", it's pretty hard to use container managed security on resources which don't *require* authentication, but behave differently after authentication. I never tried to use their implementation, and the Filter-nature of Security Filter makes it look like probably a better solution to the same problem. (Two years ago, we may not have been on Servlet 2.3 yet, but that's not an issue now...)
Joe
--
Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "Narrow minds are weapons made for mass destruction" -The Ex
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]