You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Jim Barrows <jb...@sssc.com> on 2004/08/23 18:41:32 UTC

RE: Best practice for login functionality


> -----Original Message-----
> From: struts [mailto:struts@pings.dk]
> Sent: Monday, August 23, 2004 9:29 AM
> To: user@struts.apache.org
> Subject: Best practice for login functionality
> 
> 
> Hi. Since most of Struts based applications has some sort of 
> login facility
> I thought there must be some kind of "best practice" when 
> using the Struts
> framework. 
> 
>  
> 
> I have several ideas on how to do it but I rather use others 
> experience in
> this area. Looking forward to suggestions.
> 
>  
> 
> I guess around 10-50 users will use the system when done.

There are 3 different methods I'm aware of.  Which one I use is determined by the client setup and needs more then number of users.  Besides number of user counts are nearly always low in my experience.
1) Use the declarative model built into the Servlet/JSP standard.
Pros:
1) it's easy
2) the container manages the security for you.  
3) Your clients can change it without to much trouble
Cons:
1)It's URL based, not based on data.  However, I believe that such rules are a function of business logic, and belong there.  ymmv.
2)It's limited to the methods provided by the container (ie some containers will do LDAP, some won't)
3) Your users can change the security around without to much trouble, and blame you for screwing it up.
4) Somewhat difficult to allow someone to login before hitting a secure link
5) Somewhat difficult to implement remember me functionality.

2) Roll your own
Pros:
1) Can be customized to nearly any client setup.
2) Can be down to the data level 
3) Very easy to allow someone to login before hitting a secure link.
Cons:
1) It's only as good as you are.  If you don't cover every possible scenario, then you have a security issue. This is easier with filters.
2) You have to write it and maintain.
3) If you don't write it correctly you have to re-write for every freaking change the clients little mind can come up with.

3) Combine both.
I like the way Matt Raible does security in appfuse.  He uses a servlet to do his security.  It's still the declarative model, but the fact that he wraps it all up in a servlet means that it would be fairly easy to rewrite to custom if you needed to.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org