CP has talked about porting web app security between different application servers.
Whenever I read about these things, I wish that the specs would cover more, so we didn’t have to do this kind of infrastructure work.
The Servlet spec does a good job and giving us portability among app servers (unlike the EJB experience), however there is still room for improvement.
You can’t just drop a war file in, if you are doing wacky security stuff. It would be nice if this info could be put in the standard, so we COULD. Cookie auth should be a flag that you can just turn on. There should be a standard Realm interface which you can extend and tie together in the web.xml to handle the authentication, etc etc. All should be pluggable, and defined in one place.
J2EE always seems to only go part of the way there when it comes to items like this. Another example is how JAAS allows you to have pluggable authentication/authorization, but how about a standard was to actually manage users? How about a standard createUser(…)/edit/delete?
This is what we have available in PAM on Unix, and we want it at an API level in J2EE!
January 4th, 2005 at 12:20 pm
RE: J2EE App Server Security
Dion and Christian are talking about J2EE App Server Security. Specifically, they are talking about setting up standard container-managed security. J2EE allows you to specify security settings in your web.xml, but to make those work – you have to conf
January 4th, 2005 at 12:20 pm
RE: J2EE App Server Security
Dion and Christian are talking about J2EE App Server Security. Specifically, they are talking about setting up standard container-managed security. J2EE allows you to specify security settings in your web.xml, but to make those work – you have to conf