tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Trevor Nielsen" <tniel...@wedgetail.com>
Subject Re: Security
Date Mon, 22 Apr 2002 05:39:51 GMT

There are so many ways to accomplish this depending upon what kind of
browser/client sofware your users are using, and how mickey-mouse
a solution you are prepared to use :

1.  As long as you know that your users have a browser that supports
     cookies (and this is now a security risk on the client side) you could
     use Sessions to authenticate.  ie.  accept input from user on page,
     it into a new ly create HttpSession object, and then at each stage
     you can authenticate user/password info against a server stored
    database.

    Very secure - just remember to either kill the cookie at the end, or
    give it an expiration date which you can validate

2. You can do the same thing (much less proffesionally) by passing the
    username/password around in the parameters for http POST operations.

    Mostly Secure but a hassle

3. If your not going for terribly good security, you could just use a secure
   gateway - take username/password in a form, evaluate against a user
   database and then when validated successfully send them to the protected
   pages and don't worry about checking again.

    Pretty Insecure

Hope that helps a bit,

Trevor.

----- Original Message -----
From: "Vladimir Vanyukov" <vze2b36z@verizon.net>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Monday, April 22, 2002 3:17 PM
Subject: Security


> I have seen this question here many times and have seen many answers but
> most of them never really ANSWERED the question. So I figured I'd ask
> one more time. Is there anyway to programmatically authenticate users?
>
> Example:
> If I have s simple username/password form somewhere on an unprotected
> page, how do I use that information (assuming the user filled it out and
> submitted it) to allow him to view protected pages?
>
>
> --
> To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
>
>


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message