how to process authentication and authorization

[John_Woo]

Hi,

for a web-app login checking, it's said the right-way is to process
authentication then to process authorization.

I'm wondering:

1. Does it mean it needs to connect database twice, each of which for
one of these two processings?

2. Does the table structure look like

name passwd role

if this is correct, then one connection can provide with role/passwd
info, so why we can't have one process to check and verify user/passwd
instead of two?

3. in Tomcat, tomcat-user.xml is the configuration for
user/passwd/role, is that secured to put these info in a file instead
of putting in DB?

Can any one clarify?

 

[Raymond DeCampo]

Hi,

for a web-app login checking, it's said the right-way is to process
authentication then to process authorization.

I'm wondering:

1. Does it mean it needs to connect database twice, each of which for
one of these two processings?

That depends. More below.

2. Does the table structure look like

name passwd role

if this is correct, then one connection can provide with role/passwd
info, so why we can't have one process to check and verify user/passwd
instead of two?

Don't confuse the needs of the business logic layer (or middle tier)
with the needs of the back end database. Make your database in a manner
that allows for efficient usage. You should have an abstraction layer
between the business logic and the database (e.g. DAO, EJB, hibernate,
etc.). It can worry about whether it needs to go to the database again
or if it has cached the information. Then your middle tier just asks
for the data it needs, when it needs it.

3. in Tomcat, tomcat-user.xml is the configuration for
user/passwd/role, is that secured to put these info in a file instead
of putting in DB?

As secure as your file system which may or may not be as secure as your
database. But much less convenient to change programatically.

HTH,
Ray