tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John de la Garza" <jdelaga...@designinsites.com>
Subject RE: formbased security
Date Mon, 04 Dec 2000 18:15:23 GMT
Can I manually stick the username/passwd into the server container? So the
user is not asked?  for example they log into my app...then they can browser
around with out being asked to 'login' again...

Also can I keep the user/passwd list in a database instead of the
tomcatusers.xml file?

-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Thursday, November 30, 2000 4:43 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: formbased security


John de la Garza wrote:

> arg!
>
> I meant insufficient...sorry
>

I wondered if that's what you really meant :-)

>
> Is there more than the servlet 2.2 spec?
>

You might look into some of the new books and articles coming out that talk
about servlet 2.2.  Or, you could ask specific questions on issues that are
not
clear.

Form based login started making sense for me after I understood the basic
philosophy.  Have you ever accessed a web site that uses BASIC security to
pop
up a username/password dialog box?  And then, after you were successfully
authenticated, the server gave you the requested page?

Form based login should feel very much like that from the user's
perspective.
The first time he or she tries to access a protected page, the login page
will
be shown first -- once they log on successfully, the originally requested
page
will be shown.

It's not any more or less secure than BASIC authentication -- but form based
login lets you customize the look and feel of the login page, where BASIC
authentication does not.

Craig McClanahan




Mime
View raw message