On Fri, 8 Mar 2002 09:37:05 -0500 "Aaron Held" <[EMAIL PROTECTED]> wrote: >The J2EE security model is great to emulate, I've used it on >other projects.
Currently, I'm looking at JAAS, too, although I think my four line executive summary is a lot more readable than Sun's documentation, but then when is that not the case? ;-) >Its much stronger then a wrapper around Basic Auth. You can specify different >types of authentication, including Basic Auth, and the traditional html >Form based login. That's where it's interesting. The servlet container effectively does the hard part, leaving you with servlets which are unaware of the authentication process. This could be emulated in Webware pretty easily, but like a lot of J2EE technologies, I wonder how well it would work (or even it if would work at all) if you chose non-HTML-based outputs. >Then you can change the authentication method, or include other servlets in the >secure zone just by changing the deployment descriptor. That's another thing I'm wary of. It's nice to have location-based access controls, but what happens when I want to manage access controls in a different way? There must be some more reading for me to do, I think. >I achive a similar webware effect by putting my login system into >a 'SecurePage' class and then all of the site pages that use that security >model would be subclassses of that. > >I suppose an easy Webware approach would be to use a security mixin and have >that be injected at context load time. Indeed. Using inheritance is a good way of introducing authentication where the framework doesn't support the style you need. Providing a mix-in "protocol" and lots of documentation could remove any need for "bloating" the framework with particular built-in authentication schemes. Paul -- Get your firstname@lastname email at http://Nameplanet.com/?su _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss