You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@turbine.apache.org by ra...@apache.org on 2001/03/22 17:51:27 UTC
cvs commit: jakarta-turbine/xdocs j2ee-integration.xml
rafal 01/03/22 08:51:26
Modified: xdocs j2ee-integration.xml
Log:
added a note about container managed security
Revision Changes Path
1.2 +37 -0 jakarta-turbine/xdocs/j2ee-integration.xml
Index: j2ee-integration.xml
===================================================================
RCS file: /home/cvs/jakarta-turbine/xdocs/j2ee-integration.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- j2ee-integration.xml 2001/03/21 17:49:14 1.1
+++ j2ee-integration.xml 2001/03/22 16:51:24 1.2
@@ -128,6 +128,43 @@
security your application requires.
</p>
+<p><strong>How does Turbine work with ... container manged security?</strong></p>
+
+<p>
+You can use container managed security if you wish, and Turbine provides you with
+mechanism for application manged security, in case you need them.
+</p>
+
+<p>
+The main problem with container managed security is that it cannot be managed
+from the inside of the application. Whenever you want to add/remove users to
+your application (or suite of them) or want to modify user's roles, you need
+to use whatever tool your application server provides for that.
+</p>
+
+<p>
+Now, this could work just fine for closed-public applications and intranets,
+but would be really unacceptable on open-public sites, where the users need
+the ability to register and receive 'accounts' without human interaction.
+</p>
+
+<p>
+Currently Turbine supports the latter model - application managed security.
+This is because if it didn't have it, many people would have to write code
+to provide it. That's why we created SecurityService in a cooperative effort.
+</p>
+
+<p>
+On the other hand, you don't need to write any code to use declarative
+container managed security. You can restrict access to the Turbine
+servlet with the usual web.xml magic. If you wish to use programmatic
+container managed security code, there is relatively very little code to write.
+You need to create your own SecureScreens (probably extending VelocityScreen)
+and SecureActions that contained code that calls the <code>HttpServletRequest
+getUserPrincipal</code> and <code>isUserInRole</code> methods.
+above.
+</p>
+
</section>
</body>
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-dev-help@jakarta.apache.org