• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Security

 
Ranch Hand
Posts: 110
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey guys,
I have a question related to web security with Java.
Currently, I'm reading the chapter on security issues for the scwcd exam.
My quesion is what is the best way to develop a website with login feature?
I always thought that when users register with a website, their username and password are stored in a database and then anytime they login, their username and password will be matched with the ones in the database. So, now that I'm reading topics about security and the elements of web.xml descriptor, I'm getting confused. How does this add extra security to a website, than just merely using a database to identify users?
Could someone please clarify this.
Thanx
 
Ranch Hand
Posts: 126
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I use apache so if you configure your tomcat-users.xml to allow the users with roles then your login form executes against those
 
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Amir,
Perhaps you are tripping over type of authentication vs. credential storage. The web.xml file has elements that let you specify not only the authentication realm, but what authentication type to use. This means that you specify where the username and password store is (realm), and how to go about collecting the user's credentials (type).
The authentication types are basic, digest, form-based and client-certificate. Form-based with an SSL connection is probably most common.
For realm, I would prefer to use a directory based lookup, but if your application allows new users to sign themselves up, this may not be feasible (the app would have to bind to the LDAP server with write privileges). The uid's and passwords can be kept in a database, and accessed via JDBC, which is what you were referring to. Least preferred is a file-based store.
Hope this helps!
 
Talk sense to a fool and he calls you foolish. -Euripides A foolish tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic