Frank W. Zammetti wrote: > What if you simply are not allowed to include security > mechanisms in your application? (configuring groups isn't considered "in > the application").
Not allowed? Don't tell 'em ;) > Well, I can kind of answer my own question... of > course we *are* allowed to see what group a user is in and act > accordingly, so yes, I *could* code that sort of thing in a Dispatch-type > Action. But then, (a) the benefit of externalized security decreases > because it isn't quite so external any more, and I don't really see any reasonable way around that, though... what if you're mandated to use a single-URI param-based webapp and only have LDAP? Well, you work around the limitations of the environment. How? You can always(-ish) intercept behavior at a higher level, whether through a filter, URL-rewriting, weberver module, etc. In any case, I'd be more likely to handle this at a higher, more abstract level than inside my actual dispatch-style actions via a request processor, filter, etc. and configure it via a plug-in/etc. that can deal with whatever external mechanism being used and set things up appropriately. > (b) the request isn't > getting stopped at the boundary, which is what we want, it's still getting > into my application code to some degree. > Eh, IMO if it gets in to your code but can't execute (much of) anything I don't see the issue(s), at least on a practical level. I think we could debate mandate-based "what-if" scenarios until we both died but ultimately the answer will be the same: you work with or around whatever you have to work with or around. Dave --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
