Subject: Re: More JDBCRealm Questions From: "Vic C." <[EMAIL PROTECTED]> ===
Soefara Redzuan wrote: > > I have set up a JDBCRealm and am using it with form-based login to > secure/protect my webapp. However, I have a few questions which I > hope somebody could help me with, > > 1. The JDBCRealm is set up with the following in server.xml. > > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" > driverName="org.gjt.mm.mysql.Driver" > connectionURL="jdbc:mysql://localhost/authentication" > userTable="users" userNameCol="user_name" userCredCol="user_pass" > userRoleTable="user_roles" roleNameCol="role_name"/> > > However, I have noticed that this requires the password (stored in > the user_pass column) to be clear text, which I really don't like doing. > Is there any way to have store the passwords as hashes (ie. using the > password() function in MySQL) ? http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JDBCRealm plus ssl should work > > 2. I read that "a call to j_security_check will be made by every attempt > access your secured pages". Since I am protecting every page in my > webapp, I'm wondering how efficient is "j_security_check" ? > Does it simply look at the session, or does it make a database call on > each and every request ? > > 3. How do you specify a page for authenticated users who do not have > the correct permissions/roles ? At the moment, I have this in web.xml, > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>login.jsp</form-login-page> > <form-error-page>login-error.jsp</form-error-page> > </form-login-config> > </login-config> > > login.jsp is the form that shows when an authenticated user tries to > access the site. > login-error.jsp is displayed when an incorrect username/password is > submitted. > > However, when a correct username/password is submitted but the user > does not > possess an adequate role, I see a default "You are not authorized" > message. > How can I customize the page that is shown in such circumstances ? > > > 4. Is there a formal method to logging out, rather than calling > invalidate() on the session ? > > 5. If your webapp's authentication works fine on Tomcat, would it then > work on say BEAWeblogic or IBMWebsphere ? > It should, but some of them claim to be servlet spec complaint and are not so you end up writing their support and asking for the complaince. (I find comerical support staffed by people who do not know servlet, so your job is realy hard) > Sorry for so many questions but I can't find a comprehensive description > of this anywhere. I've only found setup/configuration guides which deal > with the simple issues. > > Soefara. > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
