File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Is declarative servlet security useful? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Is declarative servlet security useful?" Watch "Is declarative servlet security useful?" New topic

Is declarative servlet security useful?

Alex Sharkoff
Ranch Hand

Joined: Apr 11, 2004
Posts: 209
Hi all,

I'd like to know any of you use declarative security in the real world? How useful do you find it? In what sorts of situations one should use declarative security?

I appreciate your thoughts on this matter.

Alex (SCJP 1.4, SCBCD 1.3, SCWCD 1.4, SCJD 1.4)
Sol Mayer-Orn
Ranch Hand

Joined: Nov 13, 2002
Posts: 311
Can't testify for the entire "real world"... the company I've just joined uses it for "coarse grained" security. Kind of like a safely net for simple checks.
For instance:

1) Delcarative security is a good mechanism to make sure users log in before accessing sensitive content. It's easier to have an entire web sub-directory protected automaticall by, say, "form base login", rather than go over each and every JSP/servlet and make sure they start by verifying the user has logged in.

2) We make limited use of declarative security determining which roles may access which pages.

3) However, we have many situations that require authorization mechanisms that are too sophisticated for simple delcarative security. In such cases, we make additional checks within the *business logic (model)* layer. For instance: some uses may be *allowed* to access a page showing equipment orders; however, they may only view *some* of the records, or have "read only" access to some records
(We also have an application which is an adaptation of a crazy old legacy system, where permissions are too complicated to be described as roles; they rely on a dynamic table. Note that I'd recommend to *avoid* such policies at all costs - it's horrible - but the client insisted).
I agree. Here's the link:
subject: Is declarative servlet security useful?
It's not a secret anymore!