Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 53927 invoked from network); 9 Jan 2007 05:19:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Jan 2007 05:19:08 -0000 Received: (qmail 10677 invoked by uid 500); 9 Jan 2007 05:19:01 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 10652 invoked by uid 500); 9 Jan 2007 05:19:01 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 10641 invoked by uid 99); 9 Jan 2007 05:19:01 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jan 2007 21:19:01 -0800 X-ASF-Spam-Status: No, hits=0.8 required=10.0 tests=DNS_FROM_RFC_ABUSE,MAILTO_TO_SPAM_ADDR X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [202.54.136.249] (HELO scbindasxmrla.in.standardchartered.com) (202.54.136.249) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jan 2007 21:18:52 -0800 Received: from scbindasxmrla.in.standardchartered.com (localhost [127.0.0.1]) by scbindasxmrla.in.standardchartered.com (Switch-3.1.10/Switch-3.1.6) with ESMTP id l09AuCso010960 for ; Tue, 9 Jan 2007 10:56:12 GMT Received: from INHADXCS101.zone1.scb.net (INHADXCS101.Zone1.scb.net [10.132.4.181]) by scbindasxmrla.in.standardchartered.com (Switch-3.1.10/Switch-3.1.6) with ESMTP id l09AtwoG010765 for ; Tue, 9 Jan 2007 10:56:12 GMT Received: from INHADXMB101V.zone1.scb.net ([10.132.5.1]) by INHADXCS101.zone1.scb.net with Microsoft SMTPSVC(6.0.3790.1830); Tue, 9 Jan 2007 10:48:17 +0530 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Subject: RE: web application - student need help Thank You's Date: Tue, 9 Jan 2007 10:48:00 +0530 Message-ID: <6ADAD16889178143BC0339F8AAF4B63712CF14@INHADXMB101V.zone1.scb.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: web application - student need help Thank You's Thread-Index: AcczoPgzPtuEoKfZRCuIDvVXbkcuzQAC4Rwg From: "Narayanaswamy, Mohan" To: "Tomcat Users List" X-OriginalArrivalTime: 09 Jan 2007 05:18:17.0656 (UTC) FILETIME=[92150B80:01C733AD] X-Virus-Checked: Checked by ClamAV on apache.org M= ike, Using rdbms table for authentication isn't bad, but make sure you stor= e only the hashed password, So even DBA can't read them. When user enter= s the password again hash it and compare with the db hashed password. Make sure you enabled https, so that even network snuffers can't read them. In general, Organizations normally uses LDAP service to store password= , so every application can be accessed using same user-id and password (= Or using some sort of SSO application), If you need to know more about it= , dig-out openldap. Storing roles (or permissions) in session is good, so it reduces the d= b operation. Hopefully you will also get more answers soon :). I am also curious to= know more about it from others. Regards, Mohan -----Original Message----- From: Michael Ni [mailto:mikeni123@hotmail.com] Sent: Tuesday, January 09, 2007 9:17 AM To: users@tomcat.apache.org Subject: RE: web application - student need help Thank You's I just want to thank everyone who provided input to my question. I am= going to try to set up the connection pool. By the way. I have another question about authentication to websites. For authentication, currently I bascially have a "Person" table, where= one field is your permission. example table person username =3D bob, password =3D wawawawa permission level =3D admin So during login, after a person enters his username and password, it will check to see if the username exists in the person table. If it does exist, it will verify the password and return his permissio= n. That permission is stored in the session, and each jsp page it will check to see if his permission is correct. If a person's permission i= s wrong, it will redirect you to another page. Although this method works, I dont know if it is very professional. Does anyone have any ideas how to set up a professional style authentication system? Something a business would use where exposing customer information is a liability. mike _________________________________________________________________ Communicate instantly! Use your Hotmail address to sign into Windows Live Messenger now. http://get.live.com/messenger/overview --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org This email is confidential. If you are not the addressee tell the send= er immediately and destroy this email without using, sending or storing it. Emails are not secure and may su= ffer errors, viruses, delay, interception and amendment. Standard Chartered PLC and subsidiaries ("= SCGroup") do not accept liability for damage caused by this email and may monitor email traffic. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org