On 4/24/07 8:49 AM, "Shahak Nagiel" <[EMAIL PROTECTED]> wrote:
> Others can chime in as well, but from my experience in the past, > container-managed authentication is a little too rigid and doesn't offer > anywhere near the flexibility of a custom-brewed authentication/authorization > scheme. That's not to say a "custom" scheme need be entirely proprietary; we > just implemented a JAAS-backed security framework for authentication and > authorization, but which fully exposes in our source code (action classes and > authorization interceptor) all steps of the process so we have control over > things that container-managed security makes difficult (such as logging, > counting of failed logins, integrating authorization rules into struts.xml, > and so forth). I'd echo a lot of this sentiment. Using the interceptor gives me control over the process. Also, personally I don't use JAAS. Maybe I will someday, but right now I don't. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]