tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: web application - student need help Thank You's
Date Tue, 09 Jan 2007 15:56:55 GMT
Hash: SHA1


Michael Ni wrote:
> So during login, after a person enters his username and password,  it
> will check to see if the username exists in the person table.
> If it does exist, it will verify the password and return his
> permission.  That permission is stored in the session, and each jsp page
> it will check to see if his permission is correct.  If a person's
> permission is wrong, it will redirect you to another page.
> Although this method works, I dont know if it is very professional. 
> Does anyone have any ideas how to set up a professional style
> authentication system?  Something a business would use where exposing
> customer information is a liability.

There's no reason not to use a pre-built authentication and
authorization system. For instance, the J2EE container-managed AA is
relatively good, if not very extensible.

I manage software development for a healthcare service where information
security is a top priority. I recently switched from using
container-managed AA to securityfilter
(, which is intended to be a
drop-in replacement for container-managed AA. The syntax is the same for
<security-constraint>, <web-resource-collection>, <auth-constraint>,
etc. so you can pretty much just move your existing configuration from
web.xml into another config file for use with securityfilter.

Since the AA is now outside of the container, you can comfortably extend
the classes or replace the authenticator to suit your needs. For
instance, I wanted to be able to log failed logins to my database. With
the container-managed authentication, that was not possible without
extending one of Tomcat's authenticators or resorting to other nasty
hacks. With securityfilter, I was able to write my own basic
authenticator (i.e. "SELECT FROM user WHERE username=? AND
password_hash=?") and then log failures to the database using the same
db connection.

With container-managed AA and projects like securityfilter out there,
there's no reason to write your own authentication or authorization
code, unless you are really doing something exotic.

- -chris
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message