RE: [WDSCI-L] Protected webpages - how ?

["Joe Pluta" <joepluta@xxxxxxxxxxxxxxxxx>]

> From: Larry Schweyer
> 
> Securing Web pages and servlets in WebSphere Application Server is a
wee
> bit more complicated than protecting pages in HTTP.

Just as a quick counterpoint - the J2EE security model is not the only
way to go.  It really depends on your application architecture.

The J2EE architecture has two pieces: authentication and access.
Authentication is just verifying whether you are who you say you are.
That's the role of LDAP or its brethren (and my guess is that single
singon comes into play here as well).

The access portion of security is similar in many ways to the
old-fashioned green-screen menu type of security, where a user is
authenticated to various application functions.  Whereas we had a
database file with user IDs and authorization, in J2EE, this happens to
be through roles defined in XML files.

Where your access authorization is defined really depends on where your
application controller resides.  If your architecture is highly
RPG-centric (that is, your business logic is encapsulated in RPG server
programs) then a perfectly acceptable alternative is to have the control
logic in your RPG code.

In this architecture, the form data from the browser is basically sent
down to an RPG program, which then determines the next page to display.
In this model, the controller job is an RPG program submitted under the
appropriate OS/400 user profile, and security is handled the way you
would handle any other sort of security.

I'm not saying one technique is better than the other, all I'm saying is
that you don't necessarily have to bother with the access side of J2EE
security if you don't want to.

Joe