-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 João,
On 11/18/2009 2:13 PM, João Nuno Silva wrote: > Caldarale, Charles R wrote: >> >> I'm curious as to why you're reinventing this particular wheel. Why >> not let Tomcat's built-in authentication handling do the hard work for >> you, and you just supply either a custom Realm or a JAAS-compliant >> login module to do the actual user validation? That would seem to be >> a lot easier and a lot less dependent on the internals of the >> particular Tomcat version you happen to be using. >> > I'm doing this as an hobby, not at work! With this in mind, my reasons are: > 1) I want to have an authentication module that's independent of the > servlet container used (because I think this behavior of request replay > isn't a standard, but I might be wrong...); You could look at securityfilter, which was built for just such a purpose. There's also ACEGI or "Spring Security" which is also independent of the container. > 2) I believe I can better optimize session creation to reduce memory > usage (because I won't save the previous request in session). I think > this way I can be more tolerable to DoS attacks from unauthenticated users; Empty sessions are pretty light. I would guess that your additional credential management overhead will end up being roughly equivalent to what Tomcat experiences using sessions to store its information. > 3) I'm learning a few things in the process of reinventing this wheel ;) Well, there's no reason to stop you, then :) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksETrQACgkQ9CaO5/Lv0PABXQCfa+KNphg/3/1ojU2JXIFC3y0h SxgAnibdF4O9EBgZk++WRKsr7zdEXWpd =JUW5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
