On 13/06/2011 09:44, Petr Hracek wrote: > Only the simple question, > What is the flag which URLs are protected?
It is time for you to read the Servlet specification. > I have found that link > http://tomcat-configure.blogspot.com/2009/01/tomcat-web-xml.html > and specially section: > > How to secure your application with JAAS ? And it looks like you need to read the Tomcat documentation as well. Mark > > Let's say that my htdocs directory is there: > /opt/testApp/htdocs/index.html > and servlet storage is there: > /opt/testApp/servlet/ > > Logging page is mention here: /opt/globalPages/htdocs/index.html > > How to configure https://<ipaddress>/testApp/ so that if HTTP COOKIE > is not defined then /opt/globalPages/htdocs/index.html will be shown > otherwise /opt/testApp/htdocs/index.html will be shown. > > Thank you very much > > 2011/6/13 Pid <p...@pidster.com>: >> On 13/06/2011 07:50, Petr Hracek wrote: >>> First authentication is done so that if in the browser exists relevant >>> HTTP COOKIE and validation of that cookie is done then page should be >>> shown. >>> How to do that I do not know from the tomcat point of view. >>> >>> Is there any possiblity how to check valid HTTP COOKIE otherwise >>> showing loging page. >>> >>> If HTTP COOKIE is not existing than logging has to be done over my one >>> program. >>> How to do that I do not know as well. >>> >>> Are there any examples? >> >> From the little information you give, you're describing container >> managed security. FORM auth as defined by the Servlet Spec can do just >> that. >> >> You configure a Realm, some elements in web.xml which define where the >> login form & error pages are, and which URLs are protected. >> >> >> p >> >> >> >>> 2011/6/13 Petr Hracek <phrac...@gmail.com>: >>>> First authentication is done so that if in the browser exists relevant >>>> HTTP COOKIE and validation of that cookie is done then page should be >>>> shown. >>>> >>>> >>>> 2011/6/12 Mark Thomas <ma...@apache.org>: >>>>> On 12/06/2011 20:29, Pid wrote: >>>>>> On 12/06/2011 17:12, Petr Hracek wrote: >>>>>>> And what about in case that I have my own program for accessing to the >>>>>>> specific >>>>>>> databases where the passwords are stored as hashes? >>>>>>> >>>>>>> Are there any possibilities how to run that program for getting unhashed >>>>>>> password from database? >>>>>> >>>>>> Why not hash the inbound password, then send & compare it against the >>>>>> one in the DB, rather than decoding it? >>>>>> >>>>>> The Realm implementations can handle this, if you're using a standard >>>>>> hashing method that Java recognises. >>>>>> >>>>>> Hopefully you've not invented your own hashing method. >>>>> >>>>> Hmm. Hash functions are meant to be one way. It should be impossible to >>>>> retrieve an unhashed password from the database. >>>>> >>>>> I hope that the original description is inaccurate rather than an >>>>> example of (yet another) badly broken home-grown security solution that >>>>> needs to be thrown away. >>>>> >>>>> Mark >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Best Regards / S pozdravem >>>> Petr Hracek >>>> >>> >>> >>> >> >> >> > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
