Originally posted by Brian Buege:
Both great questions!!
Here are a few answers (I'll start from the bottom and work up):
The book includes working sample code for a Java-based SSL tunnel using the JSSE. It also discusses other tunneling products like stunnel. And it discusses them specifically in the context of securing a client-server app. AND, it has working sample code that includes a standalone client talking JDBC to a database, an applet client talking JDBC to a database, and a Java Web Start client talking JDBC to a database.
I think that one of the common misconceptions about J2EE security is that it's inflexible. I haven't found that to be the case. There are some things that it doesn't do well, but that's the case with any product.
For example, in SQL it's hard to do some things, but most people would think you were nuts if you suggested rolling your own database. It's kind of the same with J2EE security. There's some stuff that isn't elegant, but I haven't found anything that I couldn't work around yet... Again, just like SQL queries.
J2EE security provides for both declarative (specified in the deployment descriptor) and programatic (handled at runtime) authorization. This allows you to have the best of both worlds: For simple stuff, you can use the authorization in your DD, then when you need to get dynamic, you can interrogate your container to find the identity of the person calling your method and make authorization decisions in your code.
With the advent of JAAS in the newest app servers, this dynamic capability is increased even further and the possiblities are pretty endless.
If you'd like me to be more specific about any of the generalizations I've made above, let me know...
[ October 22, 2002: Message edited by: Brian Buege ]
Originally posted by Jamal Hasanov:
But start guide doesn't include everything...(for example how to add Oracle DS)
Originally posted by Jim Yingst:
Ah, you've stumbled into one of my pet peeves - a catch that does nothing. Look here for more info. Consider - what happens if the caller specifies a field or method name that doesn't exist?