«

Hello, I would like to know what do people use for
user authentication in Tomcat.

I am developing a small application with servlets and
JSP where I want:

- users log in before being able to do anything
- if the user is not logged in and tries to access
any other page, he gets the login page instead
- the usernames and passwords live in a database

As I see it, there are two main options for achieving
this:

1) Use JDBC realm to authenticate against the database

2) Add code at the top of all the pages to verify that
the user is logged in, etc.

Number 1) seems the easiest solution, but I wonder how
many people use it? It doesn't seem too portable to
other non-Tomcat platforms... Anybody using it for
your apps?

Finally, is there any Number 3) option that I am missing?

Thanks in advance for the help!

Eduardo

Eduardo wrote:
<snip>
> As I see it, there are two main options for achieving
> this:
>
> 1) Use JDBC realm to authenticate against the database
>
> 2) Add code at the top of all the pages to verify that
> the user is logged in, etc.
>
> Number 1) seems the easiest solution, but I wonder how
> many people use it? It doesn't seem too portable to
> other non-Tomcat platforms... Anybody using it for
> your apps?
>
> Finally, is there any Number 3) option that I am missing?
<snip>

I use a variant of option 2, redirecting users to a SECURE login
page if they're not currently logged-in. Save the URL they
originally requested and forward them upon success.
There should be lots of freely-available code showing how to do
this, BTW. You can also use filters so that your JSP authors
don't have to worry about what's happening "under the covers".
Again, documentation should abound.

Eduardo <> wrote:
> I am developing a small application with servlets and
> JSP where I want:
>
> - users log in before being able to do anything
> - if the user is not logged in and tries to access
> any other page, he gets the login page instead
> - the usernames and passwords live in a database
>
> As I see it, there are two main options for achieving
> this:
>
> 1) Use JDBC realm to authenticate against the database
>
> 2) Add code at the top of all the pages to verify that
> the user is logged in, etc.
>
> Finally, is there any Number 3) option that I am missing?

J2EE security:
- Associate a security role with all pages but the login page and error
pages (they don't contain any business functionality)
- Each user that isn't logged in is redirected by the container (Tomcat
for example) to the login page.
- Configure the container to do one of the following:
- Execute your code to authenticate a user (for example using JAAS)
- Go to the database itself
- ... (see the container documentation for more possibilities)


--
Oscar Kind http://home.hccnet.nl/okind/
Software Developer for contact information, see website

PGP Key fingerprint: 91F3 6C72 F465 5E98 C246 61D9 2C32 8E24 097B B4E2

Thanks for the responses everybody!

(Eduardo) wrote in message news:< om>...
> Hello, I would like to know what do people use for
> user authentication in Tomcat.