Conainer Managed Auth. vs Application Managed Auth. in J2EE web applications
Authentication and Authorisation (Auth.) is part of the J2EE standard.
One design question that arises in each J2ee web application project is the wheter to use Conatiner Managed Auth. (CMA) or to impement own Application Managed Auth. (AMA).
CMA in pure web applications:
Definitly - if all use cases can be implemented with CMA one shold use it. But how often is that the case in real world web applications?
References:
One design question that arises in each J2ee web application project is the wheter to use Conatiner Managed Auth. (CMA) or to impement own Application Managed Auth. (AMA).
CMA in pure web applications:
- standard way for application to query if the user has given role
- standard way to define how the user is authenticated (Basic authengication, Form-based authentication..)
- does not define how an application server stores and retrieves the authentication/authorsisation information (username/password, roles). This is left to the application server provider or to the application developer.
- does not define how one plug in code into an application server to extend the authentication with more advanced authentication strategies (Captcha etc.)
- does not define how to maintain the Authentication/Authorisation information (e.g. how a user could change his password or how an administrator can add/remove roles)
- is portable across application servers
- can be customized to any extend (e.g. authentication based on dynamic information)
- introduces a security risk due to buggy implementation
- is not standardized
Definitly - if all use cases can be implemented with CMA one shold use it. But how often is that the case in real world web applications?
References:
posted by Christof at
6:27 AM
0 Comments:
Post a Comment
<< Home