-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike,
Michael Ni wrote: > So during login, after a person enters his username and password, it > will check to see if the username exists in the person table. > > If it does exist, it will verify the password and return his > permission. That permission is stored in the session, and each jsp page > it will check to see if his permission is correct. If a person's > permission is wrong, it will redirect you to another page. > > Although this method works, I dont know if it is very professional. > Does anyone have any ideas how to set up a professional style > authentication system? Something a business would use where exposing > customer information is a liability. There's no reason not to use a pre-built authentication and authorization system. For instance, the J2EE container-managed AA is relatively good, if not very extensible. I manage software development for a healthcare service where information security is a top priority. I recently switched from using container-managed AA to securityfilter (http://securityfilter.sourceforge.net), which is intended to be a drop-in replacement for container-managed AA. The syntax is the same for <security-constraint>, <web-resource-collection>, <auth-constraint>, etc. so you can pretty much just move your existing configuration from web.xml into another config file for use with securityfilter. Since the AA is now outside of the container, you can comfortably extend the classes or replace the authenticator to suit your needs. For instance, I wanted to be able to log failed logins to my database. With the container-managed authentication, that was not possible without extending one of Tomcat's authenticators or resorting to other nasty hacks. With securityfilter, I was able to write my own basic authenticator (i.e. "SELECT FROM user WHERE username=? AND password_hash=?") and then log failures to the database using the same db connection. With container-managed AA and projects like securityfilter out there, there's no reason to write your own authentication or authorization code, unless you are really doing something exotic. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFo7tH9CaO5/Lv0PARAmzYAKCSC3YN6TipbVUhki3aOfN62kDYTgCgmfZG VLd3kXoPQjd0nQTAoQDajFQ= =mSO9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
