servlet, jsp, secure login

[Ghost]

I am trying to set up a secure website. Each page will require user
authentication. The majority of this website is written in servlets
and JSPs. I was wondering what the most secure approach would be.

If I use a login page, that login page will need to send the parameter
values: "name" and "password" over an HTTP request to a servlet that
would query a database to see if that user is a registerd user. This
does not seem very secure.

Is there a more secure way to do this? How secure is it to use web.xml
to store user names and passwords? Is it better to use a database to
store these values?

Any suggestions would be appreciated. Thanks in advance.

 

[SMC]

I am trying to set up a secure website. Each page will require user
authentication. The majority of this website is written in servlets and
JSPs. I was wondering what the most secure approach would be.

If I use a login page, that login page will need to send the parameter
values: "name" and "password" over an HTTP request to a servlet that
would query a database to see if that user is a registerd user. This
does not seem very secure.

And you'd be right. Look up SSL. Practically all web/application servers
support it.

Is there a more secure way to do this? How secure is it to use web.xml
to store user names and passwords?

As secure as the system it resides on and as secure as the application
server that uses it.

From a design and maintenance perspective, not such a good idea IMHO.

Is it better to use a database to
store these values?

There are many solutions, this can be a good one.

Do some Googling.

Cheers