How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see:But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database.
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database.
Craig
--- Matt Raible <[EMAIL PROTECTED]> wrote:
http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExampleA JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out:
HTH,======================================================
Matt
-----Original Message----- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication <login-config> in web.xml vs. Specifying Paths in the struts-config.xml
I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program.
Because Tomcat JDBCRealm is form based, I inserted the <login-config> and its sub-elements in my web.xml file (see below). As we know, the <form-login-page> and <form-error-page> are required.
My question is that the container-managed
authentication does not seem to be consistent with
what we usually do in struts; e.g. we state the
logical name and path for each .jsp page in the
struts-config.xml file.
What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the <form-login-page> and <form-error-page> in the web.xml file?
<security-constraint><form-login-page>/authentication/login.html</form-login-page>
<web-resource-collection>
<web-resource-name>SalesInfo</web-resource-name>
<url-pattern>/SalesInfo/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name> </auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-error-page>/authentication/error.html</form-error-page>
</form-login-config>---------------------------------------------------------------------
</login-config>
<security-role> <role-name>manager</role-name> </security-role>
__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
---------------------------------------------------------------------To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
