• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Web App Security

 
Moses Marfo
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I just finished reading the chapter on Web App Security in HFSJ.

I will like to know whether new J2EE project actually do specify/use "<security-constraint>" in web.xml file or there are better and newer ways of achieving authentication and authorization.Listing all users and roles in "tomcat-users.xml" seems a bit tacky to me a better approach to me will be to use a database to store users and roles.


Will specify my users and roles in a database make most of the work(authentication and authorization) done by the container using "<security-constraint>" unnecessary?

It seems like the only important tag I may use if I'm to define my users and roles in a database will be "<user-data-constraint>", someone correct me if I'm wrong.

When I use a <login-config> is the user name and password compared with what is in tomcat-users.xml by the container or I have to retrieve these two parameters and do the comparison myself.
 
Vijitha Kumara
Bartender
Pie
Posts: 3930
21
Chrome Fedora Hibernate
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Moses Marfo wrote:...Listing all users and roles in "tomcat-users.xml" seems a bit tacky to me a better approach to me will be to use a database to store users and roles.

That's an in-memory realm, of course you can have JDBC realms. Check the Tomcat documentation.
When I use a <login-config> is the user name and password compared with what is in tomcat-users.xml by the container or I have to retrieve these two parameters and do the comparison myself.

Yes, by the container.
 
Moses Marfo
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks
Vijitha
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic