從專家組成立到現(xiàn)在，經(jīng)過(guò)3年的時(shí)間，JSR 196-Java Authentication Service Provider Interface for Containers 的草案終于出來(lái)和大家見(jiàn)面了.. 這個(gè)標(biāo)準(zhǔn)主要是給安全和用戶管理產(chǎn)品的開(kāi)發(fā)商(而不是應(yīng)用開(kāi)發(fā)者). 這個(gè)標(biāo)準(zhǔn)的出臺(tái)將使得JEE的服務(wù)器可以輕松的整合第三方的提供的驗(yàn)證服務(wù)，而不用像現(xiàn)在這樣，安全和用戶管理產(chǎn)品的開(kāi)發(fā)商還必須對(duì)每個(gè)應(yīng)用服務(wù)器都實(shí)現(xiàn)定制的接口從而才可以插入到這些服務(wù)器中，比如weblogic.security.spi.AuthenticationProvider.. 整合變得更加容易，下面是JSR中的描述：A typical message interaction between a client and server begins with a request from the client to the server. The server recieves the request and dispatches it to a service to perform the requested operation. When the service completes, it creates a response that is returned back to the client. The SPI defined by the specification is structured such that message processing runtimes can inject security processing at four points in the typical message interaction scenario. A message processing runtime uses the SPI at these points to delegate the corresponding message security processing to an authentication provider or module integrated into the runtime by way of the SPI. 標(biāo)準(zhǔn)中提到整個(gè)的解釋過(guò)程將包括4處地方，2處在client端(第一次request，在服務(wù)器response之前)，2處在服務(wù)器端(接收到request，和request處理完畢)... 點(diǎn)評(píng)： 標(biāo)準(zhǔn)的出臺(tái)對(duì)開(kāi)發(fā)廠商來(lái)說(shuō)是一件好事...當(dāng)然，在此之前，大家可以暫時(shí)現(xiàn)有的集成，或者使用Acegi，一個(gè)評(píng)價(jià)不錯(cuò)的安全框架...關(guān)于Acegi的介紹：http://www.matrix.org.cn/resource/article/1730_Acegi.html