matt ara wrote:The logic that I would get the parameters from the form fields and then pull the username from the DB based on that form field and match to the password. Doesn't seem to be working out, is this heading in the right direction?
Yes, you are in the right direction. What have you done to debug this? Are the username/password been passed correctly to servlet, is the SQL query returning correctly.
You can just use SQL query like and see whether it retuns atleast 1 row, if yes, then user authentication is successful, why retrieve all the rows in table and do a compare operation?
matt ara wrote:I modified my code to work with the JSP, and it just keeps kicking me out saying User Invalid when I know those users/pass are in the DB.
What changes you did in JSP? Did you put the business logic/java code inside JSP? If yes, definitely you are heading in wrong direction, revert them back and use servlet and post here any questions/doubts you have...
And for the other part that's the reason of DD. In the DD by setting it you can start using SSL. And configure a lot of other important that have to do with authentication, authorization, confidentiality and data integrity. BTW, the other 3 methods for the <auth-method> tag are: BASIC, DIGEST and CLIENT-CERT.
If you want to learn more about this, I recommend the chapter of security in the Head First Servlets and JSP.
Victor, you can also claim that Keyboard is not secure, as somebody can be looking over your shoulder when you type the password.
If GET is not secure, POST is also not secure. No request is secure simply based upon the choice of method. Requests are secure by using SSL.
Prasad Krishnegowda wrote:Tim, can you please explain, which log files you were referring too..
The log files on the server. Apache, Tomcat and all other servers can be configured to log URL parameters if they don't do it out of the box already.
If GET is not secure, POST is also not secure.
Patently wrong - they are treated differently in ways that give rise to different security risks.
No request is secure simply based upon the choice of method.
Nobody said so. But in this context POST is more secure than GET.
Requests are secure by using SSL.
No. There's lots more to security than the choice of which HTTP method to use and the decision to use SSL.
The choice of method should be dictated by what the request is doing, not any supposed security concerns.
Using SSL is good, but Tim is correct in that there are other things that need to be done. Protecting against SQL injection is one of them.
Bear Bibeault wrote:POST is no more secure than GET. It just doesn't show params on the URL. That extra level of "security" is a blip and is really no security at all.
Maybe we operate in different environments with different security requirements. The prospect of passwords being captured in log files is an absolute no-go in my world.
Again, thanks for the help.