Jim, I've been thinking about the custom class for authentication. Basically, that's what JAAS does, so when the JAASRealm is ready from primetime, you'll get your wish. However, I think it's great that Tomcat provides out-of-the-box authentication, even if it's not all things to everyone and I hope there will always be that option.
As far as hashed or encrypted passwords goes, I've been thinking about that and think for now a filter would be the way to go, but I'm not sure what the filter would be on! Until my current project, I, too, have always done authentication and authorization "by hand" but I thought I'd see if I could make my life easier by using the capabilities built-in. Also, we're in agreement over the use of synthetic keys I think. Maybe it wasn't clear from my earlier posts, but I use "meaningless" ids. Even if my users assure me that such-and-such an attribute is unique and immutable, I'm still inclined to create my own int or long id. I like to create a key generator that relies on the db's sequence facility. I just have one sequence db-wide. I retrieve a batch of keys at once, like 500, and hand them out as requested until they're gone. Then I get another batch. I think I read this in a Scott Ambler paper. This also allows all objects in my application to have an application-wide unique id, which can be useful. Incidentally, different dbs handle sequences differently, which is another reason it's handy to have a key generator interface with multiple implementations that can be plugged-in as needed. Ignacio, You're right, I'm not a views expert. I'm a software developer, not a dba. (-: I try not to rely too much on what the db can do for me in order to maintain a little portability. I've worked on enough projects where we just didn't know what we could afford or where we would deploy. Some of those projects used MySQL, which as you know is somewhat limited feature-wise (ACID transactions, views, etc.) thanks all, john -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g]On Behalf Of Jim Seach Sent: Thursday, March 07, 2002 9:38 AM To: Tomcat Developers List Subject: RE: [PATCH] change JDBCRealm to add flexibility in table layout Ignacio, I apologize for not reading more closely. You didn't -1 it, just expressed your opinion. I agree your proposed changes would be much more flexible. Another option that might be nice would be the ability to specify a user supplied class to compute a password hash so only the hash needs to be stored in the database rather than the actual password. I usually use custom authentication rather than using the container provided capabilities, but there may be times when this might be useful, so having well thought out and flexible components is always important! Thanks, Jim Seach -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>