Have you had the chance to look at jetspeed for authentication/authorisation
enforcement and logging?
http://portals.apache.org/jetspeed-1/
Martin-
----- Original Message -----
From: "Frank W. Zammetti" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <user@struts.apache.org>
Sent: Saturday, July 16, 2005 1:01 PM
Subject: Re: [FRIDAY] What technology do you use for authentication and
authorization?
Hi Craig,
I am currently using container-managed security in all my day work. We
have built a fairly robust framework to sit on top of it to fill in some
of the gaps (things like enforcing password restrictions, some extensions
to group support, etc).
If there was one change I'd personally like to see made it would be a
change to the fundamental nature of how it works. Nothing major :)
I spend a fair amount of time explaining to people how constraints work
(which of course presupposes that *I* understand it!)... it seems odd to
most people I talk to that you are laying down restrictions on things, and
anything not restricted is allowed. I remember reading one description a
while back that made this clear to me: "Servers are there to serve, and
that's what they do by default". While that explanation worked for me,
I've found that it doesn't for everyone.
What I would ideally like is the ability to set some switch that says "ok,
now NOTHING is allowed EXCEPT for what I define". Of course the default
would still be what it is now, so nothing would be broken. I suppose
there might be some new elements instead of <security-constraint>, maybe
<security-allowance>, so if your in constraint mode you use constraints,
if in allow mode you use allowances.
However the config is done though, the point is allowing me to define what
is allowed while anything else isn't, the opposite of what it is now.
Frank
Craig McClanahan wrote:
(It's still Friday here on the Pacific Coast, so I'll sneak in a late
question)
One of my colleagues at Sun, Greg Murray, is spec lead for the next
rev of the Servlet API. He has recently written a blog asking for
input on what you'd like to see in the next version:
http://weblogs.java.net/blog/gmurray71/archive/2005/07/got_servlets.html
My particular question (well, questions :-) for the Struts community:
* What technology do you currently use for authentication and
authorization
in your web applications?
* If you use the container managed security faciities of your container,
does it completely meet your needs? If not, what else would you like
to see?
* If you don't use container managed security (i.e. the facilities
defined in the
servlet and J2EE, err, Java EE specifications), what capabilities would
you
need to have available before you'd consider using the container
facilities?
For maximum positive benefit to the world, please cc your responses
both here and reply to Greg's blog (at the URL listed above). Of
course, you're welcome to comment (on the blog) about any other
features you'd like to see the Servlet spec standardize, but tonight
I'm particularly interested in this particular aspect.
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]