Les Hazlewood wrote:
> I've given presentations on JSecurity and had many discussions in
> private, and I always ask my audience: "How many people have heard
> of JAAS?" Maybe 40-50% of the listeners affirm they have. Then I
> ask, "how many of you have used the JAAS API or its constructs
> (permissions files, etc)?". That number has been consistently
> around 1-2%.
Right. But that is probably because most of the other 98%-99% of JEE
developers rely on container-managed access, and don't write any security code.
If anything, they might make a role-check in UI code to see what navigation
options to offer. The percentage of JEE developers who need more than
container-managed, role-based, authorization is relatively low, although for
those who need it, it is essential.
Container-managed security fails at the instance level, e.g., the container can
restrict access to the ClientAccount bean methods to the Customer role, but
does not enforce WHICH customer login can access WHICH bean instance. What is
JSecurity's approach, and what would it look like for the lookup (JNDI) and
injection (annotation) models?
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
