J
John_Woo
Hi,
for a web-app login checking, it's said the right-way is to process
authentication then to process authorization.
I'm wondering:
1. Does it mean it needs to connect database twice, each of which for
one of these two processings?
2. Does the table structure look like
name passwd role
if this is correct, then one connection can provide with role/passwd
info, so why we can't have one process to check and verify user/passwd
instead of two?
3. in Tomcat, tomcat-user.xml is the configuration for
user/passwd/role, is that secured to put these info in a file instead
of putting in DB?
Can any one clarify?
for a web-app login checking, it's said the right-way is to process
authentication then to process authorization.
I'm wondering:
1. Does it mean it needs to connect database twice, each of which for
one of these two processings?
2. Does the table structure look like
name passwd role
if this is correct, then one connection can provide with role/passwd
info, so why we can't have one process to check and verify user/passwd
instead of two?
3. in Tomcat, tomcat-user.xml is the configuration for
user/passwd/role, is that secured to put these info in a file instead
of putting in DB?
Can any one clarify?