Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Rob Spoor
  • Devaka Cooray
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • Tim Holloway
Bartenders:
  • Jj Roberts
  • Al Hobbs
  • Piet Souris

Web App Security

 
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I just finished reading the chapter on Web App Security in HFSJ.

I will like to know whether new J2EE project actually do specify/use "<security-constraint>" in web.xml file or there are better and newer ways of achieving authentication and authorization.Listing all users and roles in "tomcat-users.xml" seems a bit tacky to me a better approach to me will be to use a database to store users and roles.


Will specify my users and roles in a database make most of the work(authentication and authorization) done by the container using "<security-constraint>" unnecessary?

It seems like the only important tag I may use if I'm to define my users and roles in a database will be "<user-data-constraint>", someone correct me if I'm wrong.

When I use a <login-config> is the user name and password compared with what is in tomcat-users.xml by the container or I have to retrieve these two parameters and do the comparison myself.
 
Bartender
Posts: 4109
72
Hibernate Fedora Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Moses Marfo wrote:...Listing all users and roles in "tomcat-users.xml" seems a bit tacky to me a better approach to me will be to use a database to store users and roles.


That's an in-memory realm, of course you can have JDBC realms. Check the Tomcat documentation.

When I use a <login-config> is the user name and password compared with what is in tomcat-users.xml by the container or I have to retrieve these two parameters and do the comparison myself.


Yes, by the container.
 
Moses Marfo
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks
Vijitha
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic