Chen i am just curious as to what advantage/significance will it be to do
passwd comparision outside the database. I'm working on that issue right
now. So wanted to know that in detail. Can you brief on the concept a bit.
Also celeste can you provide some code snippets of how u handle JSP and XML
together to handle user athentication.
Thanks in advance
Praveen
----- Original Message -----
From: "Chen, Gin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 15, 2001 2:23 PM
Subject: Re: Login Authentication against database...
> Thanks a great idea Celeste.
>
> Another approach may be to do the password comparison outside the
database.
> So you say.. SELECT password FROM users WHERE username="user";
> And then do a password.equals("enteredpassword");
> -Tim
>
> -----Original Message-----
> From: Haseltine, Celeste [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 15, 2001 2:06 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Login Authentication against database...
>
>
> Joe,
>
> When my user's log-in, I capture their username and compare that name to
> those I have in an XML table on the server. If the name exists in the XML
> table, and is still classified as Active, I then make a connection to my
> database, and verify the password, along with obtaining other info I need
> for access into different areas of our site. Every time a new user is
added
> to the database, I run a script that updates my XML file on the server.
The
> XML table is located in a different directory on our site than the actual
> JSP/HTML pages, and has limited information. Therefore, if someone did
get
> their hands on it, they still could not log into our site.
>
> This allows me to do a "first verification" of the user, and then
rejecting
> the user if appropriate, without even opening a connection or pulling a
> thread from the connection pool to my database. I have one JSP that
> verifies the user exists in the XML table, before either handing off the
> user to another JSP for verification against the database, or redirection
to
> a login error page.
>
> Celeste
>
> -----Original Message-----
> From: Joe Cheng [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 15, 2001 11:33 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Login Authentication against database...
>
>
> Celeste,
>
> what's a "more secure" means? now you've got me curious.
>
> and Bob wasn't pointing out a loophole, just calling attention to the
> non-escaped values in the SQL statement below.
>
> -jmc
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://archives.java.sun.com/jsp-interest.html
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.jsp
> http://www.jguru.com/faq/index.jsp
> http://www.jspinsider.com
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://archives.java.sun.com/jsp-interest.html
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.jsp
> http://www.jguru.com/faq/index.jsp
> http://www.jspinsider.com
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://archives.java.sun.com/jsp-interest.html
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.jsp
> http://www.jguru.com/faq/index.jsp
> http://www.jspinsider.com
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
