> Am 27.03.2015 um 13:08 schrieb arjan tijms <arjan.tijms_at_gmail.com>:
>
> On Friday, March 27, 2015, Mark Struberg <struberg_at_yahoo.de> wrote:
> In my opinion @RolesAllowed is often not enough. The strict String[] role based mode is one of the reason EE-security is not used that often.
>
> I see it a bit different. My own opinion and that what I've heard from (many) others is that @RolesAllowed en web.xml constraints are easy to use and have been sufficient.
At least for all the 0.2% JavaEE programmer who are using it ;)
Of course I’m joking, but there is some truth in it ;)
I can only tell you that a simple String[] was not enough for almost all big projects I’ve been working on.
>
> IMHO, the major issue is the configuration of authentication stores
I totally agree with you on this one. I still wonder why there is no portable way to register a LoginModule. Otoh once you have the auth activated then it’s most times just a matter of httpServletRequest.getRemoteUser() or getUserPrincipal().
Btw I personally feel that JASPIC is way too complicated and also too limited (n-factor authz missing, etc). But I’m no expert in that area.
LieGrue,
strub