Though I'm not familiar with JDBCRealm (haven't gotten there yet), I
understand the issues and solutions you suggest, and in fact, the user
credentials are in a MySQL database. The problem is how to protect the
user/password the servlet uses to access the database. If the values
are simply stored in web.xml, what is to prevent anyone with access to
the system from reading the web.xml file and compromising the database
that stores user credentials. On the other hand, if web.xml is root
protected (i.e., need root privleges to read it), other than running
the servlet as root, how do I read the file. That's the quandry.
The Apache/cgi mechanism provides a simple solution using SetEnv's read
from an root protected Include file before the apache process drops
root privlege. What I need is a similar mechanism of securing the
servlet's credentials against unauthorized access while still enabling
the servlet to read them up. Since the unathorized access I'm trying to
protect against is at the system level and not within java, java's own
secuity mechanism's are of no help.
Any suggestions??
-- Rob
--On Tuesday, February 20, 2001 07:53:43 PM -0500 Tom Woteki
<[EMAIL PROTECTED]> wrote:
> A very different approach from the one that you are used to, but
> which is explicitly supported by Tomcat, is to use the JDBCRealm
> class to perform user authentication in which you look up
> authentication credentials in an ODBC database.
>
> You can use either basic authentication, in which the browser obtains
> the authentication info, or form based in which you prepare a (jsp
> based) form of your own devise. You must configure Tomcat in the
> server.xml file to do this and you must configure the application in
> the web.xml file. In the latter you can specify collections of URL
> resources that need be authenticated and user roles (i.e
> authentication levels) that can have access to them. Finally, you
> need an ODBC compliant database and JDBC driver.
>
> Regards,
> --
> Tom Woteki, a.k.a. Dr. Wo
> mail to:<[EMAIL PROTECTED]>
> 202-544-2743 (fax)
> http://www.woteki.com/wines <-- a pure Java, Apache-Tomcat web
> application running under MacOSX
>>
>> What I am stumped on is how to accomplish the same in servlets
>> running under apache/tomcat. I know you can set properties files
>> for servlets (though I havn't tried it yet), but other than running
>> the servlet under root I don't see how to read up root protected
>> data.
>>
>> Thanks,
>> Rob
>
_ _ _ _ _ _ _ _ _ _
/\_\_\_\_\ /\_\ /\_\_\_\_\_\
/\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
/\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
/\/_/_/_/_/ /\_\ /\/_/ /\/_/
/\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
\/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
Rob Tanner
McMinnville, Oregon
[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
