Petstore SignOn -- Why No WAF?

The pet store manages user accounts in the application
layer. It does not use any of the three login mechanisms specified by the J2EE platform (HTTP basic authentication, SSL authentication, or form-based login).
The SignOnFilter configuration file signon-config.xml
defines both the signon page URL and which pages in the application are protected.
SignOnFilter have access to the SignOnEJB session bean, and that the SignOnEJB have access to the User entity bean. But no WAF classes in between like WebController (WC) or EJBController (EC) or ServiceLocator.

Its just....

LogOnView --> SignOnFilter --> SignOnEJB --> User

Why is it so..any comments?

I did not use standard login either.
You can do login with Servlet filter. It is a very common way of doing.

1) Divide your page into 2 group under 2 directory, public and private.
2) Put a filter, to filter condition to access private directory is Session object USERID exists.
3) If Session object USERID does not exist, go to login page.
4) Search itinerary is in public place.
5) Pay, list, confirm is in private place.


Compare with stardard way, this approach give you total control of the login process, you can also add some profile cache in the login.

It also has good portability, since you does not use any container provided service.

-------------------------------------------

But after all, it is the same as standard login. Since the standard login is also based on some kind of filter, you do not see it, since it is done by the container.