CP has talked about porting web app security between different application servers.
Whenever I read about these things, I wish that the specs would cover more, so we didn’t have to do this kind of infrastructure work.
The Servlet spec does a good job and giving us portability among app servers (unlike the EJB experience), however there is still room for improvement.
You can’t just drop a war file in, if you are doing wacky security stuff. It would be nice if this info could be put in the standard, so we COULD. Cookie auth should be a flag that you can just turn on. There should be a standard Realm interface which you can extend and tie together in the web.xml to handle the authentication, etc etc. All should be pluggable, and defined in one place.
J2EE always seems to only go part of the way there when it comes to items like this. Another example is how JAAS allows you to have pluggable authentication/authorization, but how about a standard was to actually manage users? How about a standard createUser(…)/edit/delete?
This is what we have available in PAM on Unix, and we want it at an API level in J2EE!