as long as you authenticate your users in https, to prevent the passwords from travel across the internet unencrypted, you can use any method.
Filip ----- Original Message ----- From: "QM" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Thursday, June 17, 2004 4:04 PM Subject: Re: basic authentication or not? > (Please, create new messages when mailing the list. Responding to > unrelated messages causes confusion for those of us who use thread-aware > mailers.) > > > : In a nutshell, I'm wondering if it's better NOT to use basic > : authentication. > > My understanding is that FORM vs BASIC is just that the former lets you > create a custom login page that maintains your app's look and feel. > (read: that's all *I* have used it for ;) > > > : At the moment, I'm not even sure we're using > : basic authentication, and below I will outline my attempt to determine > : if we're even using it... > > You mention that there are no <security-constraint> or <login-config> > elements in the web.xml. You're checking the app-specific web.xml in > WEB-INF, and not the general one in the Tomcat install dir? (Sorry to > ask; I have to check.) > > Yet, there's a <Real> def in server.xml? > > Perhaps auth is being done elsewhere (say, the web server), hence the > <Realm> isn't being used, and is leftover from an earlier configuration. > Unlikely, but worth investigating. > > > : Aside the big database used by our web application, we have a small > : MySQL database whose sole purpose is to authenticate users. Would it be > : just as simple to continue using that for authentication if we moved > : away from this "popup box" authentication? > > If you move to FORM auth and use JDBCRealm, yes, you should be able to > continue using this database. Provided, of course, the passwords are > hashed in the way JDBCRealm expects. > > > : Is there any good reason to > : have this authentication database outside of our main database? > > One reason is load: separate auth traffic from app traffic. This also > lets you share that single auth DB among several apps, and each app can > have its own database for its data. > > -QM > > > -- > > software -- http://www.brandxdev.net > tech news -- http://www.RoarNetworX.com > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]