Saturday, January 10, 2004

J2EE: Websphere Security

The Websphere Redbook example I am experimenting with uses filter servlets to add programatic security. The filter servlets are mapped to various urls in the web.xml. The filter servlet checks for the existance of a user object in the session and redirects you to the login.jsp if it can't find one. If you are logged in, then the filter servlet will find the user object (this is added to the session when you login) and pass you straight through to the resource you were after.

This is fab for sites with a few areas that require security but am not convinced that it is a good approach for larger sites with hundereds of pages. Maybe I'm wrong but what i'd rather have (in a domino stylee) is a declarative security approach much like our good old fashioned ACLs.

This is all available in Websphere of course but seems oriented towards LDAP and operating system user registeries. Hmmm. What I was after was using the built in websphere security features but pointing them at my custom user registery, so I was kind of pleased to find "Testing J2EE Security Applications Using a Custom Registry in WebSphere Studio V5"

Anybody else found any decent Websphere security/authentication resources? If you have please stick a comment on.

As Otis Redding said:

"I want security, yeah
I'm telling you, once say again, oh now
Security
And I want it in the end, oh"

This page is powered by Blogger. Isn't yours?