User authentication in Tomcat -- best practices?

Discussion in 'Java' started by Eduardo, Aug 29, 2004.

  1. Eduardo

    Eduardo Guest

    Hello, I would like to know what do people use for
    user authentication in Tomcat.

    I am developing a small application with servlets and
    JSP where I want:

    - users log in before being able to do anything
    - if the user is not logged in and tries to access
    any other page, he gets the login page instead
    - the usernames and passwords live in a database

    As I see it, there are two main options for achieving
    this:

    1) Use JDBC realm to authenticate against the database

    2) Add code at the top of all the pages to verify that
    the user is logged in, etc.

    Number 1) seems the easiest solution, but I wonder how
    many people use it? It doesn't seem too portable to
    other non-Tomcat platforms... Anybody using it for
    your apps?

    Finally, is there any Number 3) option that I am missing?

    Thanks in advance for the help!

    Eduardo
    Eduardo, Aug 29, 2004
    #1
    1. Advertising

  2. Eduardo

    Sudsy Guest

    Eduardo wrote:
    <snip>
    > As I see it, there are two main options for achieving
    > this:
    >
    > 1) Use JDBC realm to authenticate against the database
    >
    > 2) Add code at the top of all the pages to verify that
    > the user is logged in, etc.
    >
    > Number 1) seems the easiest solution, but I wonder how
    > many people use it? It doesn't seem too portable to
    > other non-Tomcat platforms... Anybody using it for
    > your apps?
    >
    > Finally, is there any Number 3) option that I am missing?

    <snip>

    I use a variant of option 2, redirecting users to a SECURE login
    page if they're not currently logged-in. Save the URL they
    originally requested and forward them upon success.
    There should be lots of freely-available code showing how to do
    this, BTW. You can also use filters so that your JSP authors
    don't have to worry about what's happening "under the covers".
    Again, documentation should abound.
    Sudsy, Aug 29, 2004
    #2
    1. Advertising

  3. Eduardo

    Oscar kind Guest

    Eduardo <> wrote:
    > I am developing a small application with servlets and
    > JSP where I want:
    >
    > - users log in before being able to do anything
    > - if the user is not logged in and tries to access
    > any other page, he gets the login page instead
    > - the usernames and passwords live in a database
    >
    > As I see it, there are two main options for achieving
    > this:
    >
    > 1) Use JDBC realm to authenticate against the database
    >
    > 2) Add code at the top of all the pages to verify that
    > the user is logged in, etc.
    >
    > Finally, is there any Number 3) option that I am missing?


    J2EE security:
    - Associate a security role with all pages but the login page and error
    pages (they don't contain any business functionality)
    - Each user that isn't logged in is redirected by the container (Tomcat
    for example) to the login page.
    - Configure the container to do one of the following:
    - Execute your code to authenticate a user (for example using JAAS)
    - Go to the database itself
    - ... (see the container documentation for more possibilities)


    --
    Oscar Kind http://home.hccnet.nl/okind/
    Software Developer for contact information, see website

    PGP Key fingerprint: 91F3 6C72 F465 5E98 C246 61D9 2C32 8E24 097B B4E2
    Oscar kind, Aug 30, 2004
    #3
  4. Eduardo

    Eduardo Guest

    Thanks for the responses everybody!

    (Eduardo) wrote in message news:<>...
    > Hello, I would like to know what do people use for
    > user authentication in Tomcat.
    Eduardo, Aug 31, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. karim
    Replies:
    0
    Views:
    453
    karim
    Jul 13, 2003
  2. Anonieko Ramos

    ASP.NET Forms Authentication Best Practices

    Anonieko Ramos, Apr 2, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    850
    Anonieko Ramos
    Apr 2, 2004
  3. John Dalberg
    Replies:
    3
    Views:
    568
    samuelhon
    Nov 16, 2006
  4. JEFF
    Replies:
    1
    Views:
    1,009
    =?Utf-8?B?YnJpYW5zW01DU0Rd?=
    Nov 12, 2007
  5. Stevie

    Best practices for fine grained WS authentication

    Stevie, Oct 1, 2006, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    131
    Stevie
    Oct 1, 2006
Loading...

Share This Page