-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leo,
On 9/20/2010 3:05 PM, Leo Donahue - PLANDEVX wrote: > Chris, > >> -----Original Message----- From: Christopher Schultz >> [mailto:ch...@christopherschultz.net] Subject: Re: Howto: call a >> Servlet from another Servlet (Example)?! >> > - From my reading, the OP is doing his own authentication rather > than using container-managed authentication. > > -chris > I thought rolling your own authentication, rather than using > container-managed security for authentication, is a bad idea? Is > that just rhetoric? That's a matter of perspective. I'd recommend using container-managed authentication and authorization to pretty much everybody. Or, failing that, at least use a library meant for doing such things, like ACEGI or securityfilter: the folks in charge of those projects have taken care to be spec-compliant (to the extent possible and/or desired) and properly test their products to ensure that they are safe. Rolling your own authentication mechanism often leads to an insecure system. It's also usually not necessary: container-managed security works very well for most people, and the new servlet 3.0 changes to authentication even (I believe) allow the webapp to request authentication under certain other circumstances. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyXt/QACgkQ9CaO5/Lv0PBbEgCffmnSHPKJ12KCZmspuv0CdcWY H5gAoLm4Yrwym1elDFvmFs+y0yta6+8P =no35 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
