tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Narayanaswamy, Mohan" <Mohan.Narayanasw...@in.standardchartered.com>
Subject RE: web application - student need help Thank You's
Date Tue, 09 Jan 2007 05:18:00 GMT

Mike,

Using rdbms table for authentication isn't bad, but make sure you store
only the hashed password, So even DBA can't read them. When user enters
the password again hash it and compare with the db hashed password.

Make sure you enabled https, so that even network snuffers can't read
them.

In general, Organizations normally uses LDAP service to store password,
so every application can be accessed using same user-id and password (Or
using some sort of SSO application), If you need to know more about it,
dig-out openldap.

Storing roles (or permissions) in session is good, so it reduces the db
operation. 

Hopefully you will also get more answers soon :). I am also curious to
know more about it from others.

Regards,
Mohan



-----Original Message-----
From: Michael Ni [mailto:mikeni123@hotmail.com] 
Sent: Tuesday, January 09, 2007 9:17 AM
To: users@tomcat.apache.org
Subject: RE: web application - student need help Thank You's

I just want to thank everyone who provided input to my question.  I am
going to try to set up the connection pool.

By the way. I have another question about authentication to websites.

For authentication, currently I bascially have a "Person" table, where
one field is your permission.

example  table person
                   username = bob,
                   password = wawawawa
                   permission level = admin

So during login, after a person enters his username and password,  it
will check to see if the username exists in the person table.

If it does exist, it will verify the password and return his permission.

That permission is stored in the session, and each jsp page it will
check to see if his permission is correct.  If a person's permission is
wrong, it will redirect you to another page.

Although this method works, I dont know if it is very professional.
Does anyone have any ideas how to set up a professional style
authentication system?  Something a business would use where exposing
customer information is a liability.

mike

_________________________________________________________________
Communicate instantly! Use your Hotmail address to sign into Windows
Live Messenger now. http://get.live.com/messenger/overview


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

This email is confidential. If you are not the addressee tell the sender immediately and destroy
this email
without using, sending or storing it. Emails are not secure and may suffer errors, viruses,
delay,
interception and amendment. Standard Chartered PLC and subsidiaries ("SCGroup") do not accept
liability for
damage caused by this email and may monitor email traffic.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message