Re: related to: Re: #2 - Use DispatchAction to organize related

["Struts Newsgroup (@Basebeans.com)" <st...@basebeans.com>]

Subject: Re: related to: Re: #2 - Use DispatchAction to organize related
From: Vic C <vi...@basebeans.com>
 ===
I respfully disagree.
I had no problems using JAAS for LDAP, even Microsoft NT Security (via 
JDBC relms, since both could apear as SQL sources in JDBC relms)
JAAS works fine, great even and it is so easy and fast. It even works 
for a single sign on for hetro-genius enviroments (MS, ColdFusion, 
WebApps, SOAP.... I could even use it for Swing).

Even if you have to extend it, extend it, but start with it. It might 
fit the bill with no code. Certanly newbies should use it.
It can do 98 % with no effort.
To extend, use
http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()
has this and other methods, you can make a "header" formBean out of and 
find out everything else about the user.

 >> Again, it is a bad practice to do security in action or in Struts. It
 >> should be done using the web container, search Google for JAAS, it is
 >> already done for you.

Finish programing, then add JAAS. It is just a service, not part of the 
web application/business solution. These developers get lost coding 
techology and lose focus of developing the web app.
The point of using a framework is to focus on web app and use techology 
and not build technology. The analogy I use in class is:"
When you wake up in the morning when you wake up, you can either use the 
car to drive to work, or you can get under the car, change the oil and 
thinker with the combustion engine". Drive the car!

Not sure what "or if I have multiple datasources" is.

Vic


Chuck Cavaness wrote:
> Vic/Rick,
> 
> This has been my experience with container-managed security. If your 
> application doesn't need to execute any special business logic as part 
> of the login process, yes it works fine. However, if I've got to 
> authenticate with LDAP, or check how many failed login attempts this 
> usedid has before letting them in, or check with the userid locked out 
> for any reason, or if I have multiple datasources, container-managed 
> security has been a big pain in the ass.
> 
> I haven't found any portable and generic hook to allow for the kind of 
> functionality that I described above with container-managed security. 
> Now, having said that, I do agree that anything that can be done 
> declaratively, rather than programmatically, is a good thing. But even 
> the EJB spec members left in programmatic security, because they knew 
> that not every app had the same requirements. I thought JAAS was going 
> to be the greatest thing since sliced bread when it came out, 
> unfortunately it wasn't and I'm still waiting...
> 
> Chuck
> 
> 


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>