«

I am trying to set up a secure website. Each page will require user
authentication. The majority of this website is written in servlets
and JSPs. I was wondering what the most secure approach would be.

If I use a login page, that login page will need to send the parameter
values: "name" and "password" over an HTTP request to a servlet that
would query a database to see if that user is a registerd user. This
does not seem very secure.

Is there a more secure way to do this? How secure is it to use web.xml
to store user names and passwords? Is it better to use a database to
store these values?

Any suggestions would be appreciated. Thanks in advance.

On Fri, 24 Jun 2005 04:43:27 +1000, Ghost wrote:

> I am trying to set up a secure website. Each page will require user
> authentication. The majority of this website is written in servlets and
> JSPs. I was wondering what the most secure approach would be.
>
> If I use a login page, that login page will need to send the parameter
> values: "name" and "password" over an HTTP request to a servlet that
> would query a database to see if that user is a registerd user. This
> does not seem very secure.

And you'd be right. Look up SSL. Practically all web/application servers
support it.

> Is there a more secure way to do this? How secure is it to use web.xml
> to store user names and passwords?

As secure as the system it resides on and as secure as the application
server that uses it.

From a design and maintenance perspective, not such a good idea IMHO.

> Is it better to use a database to
> store these values?

There are many solutions, this can be a good one.

Do some Googling.

Cheers
--
Sean

There's no place like 127.0.0.1