tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Basic design questions - User Authentication
Date Mon, 10 Jul 2000 16:11:37 GMT
Uma Shanker wrote:

> Hello !!!
> Please help me to understand these question.
> 1. How is user authentication is done in tomcat+Apache server. Is it local OS based or
apache has special way to store user's.

For Apache, there are lots of choices -- see the Apache documentation.

For Tomcat, it follows the rules for container-managed defined in the Servlet API Specification,
which is available at:


which you will definitely want to download and read.

Tomcat's default implementation of a user database is an XML file named "$TOMCAT_HOME/conf/tomcat-users.xml".
 For Tomcat 3.2, there is a commented-out section of the server.xml file that you can use
instead to enable accessing a database
through JDBC for defining users and roles.  The configuration is pretty flexible (you can
tell Tomcat what tables and columns to look at in what database).

> 2. I want to store all the information about the user, in Database(using JDBC) and just
userid and password independently. Where I can do this, DO I have to make a local OS userid/password
for this. or better to do from LDAP server. etc.
> [Is there some free LDAP server(may be java based) available ?]

For JDBC access, see the answer to the previous question.  For any other data source, you
would need to create a "Realm" implementation and add it to Tomcat for this purpose.

> 3. or I can just run a servlet and that checks the database for userid/password(hopefully
encrypted) and works on behahf of that user.

Unless you are running over an SSL connection, none of the HTTP security mechanisms protect
you from people snooping the network connection and grabbing your password.  Therefore, unless
you are running across SSL, I would strongly suggest
*not* trying to use the OS username/password databases for this -- you would be exposing information
that lets crackers log in to your system itself.

> 4. What exactly is form based authentication. Is it common entry point ?

See the servlet API spec.  Note that there are lots of bugs in the container managed security
implementation in Tomcat 3.1 -- be sure to use the latest version of Tomcat 3.2 for this.

> 5. please provide me related links.
> Thanks for your time
> /uma

Craig McClanahan

View raw message