On Wed, 14 Aug 2002, Mark Schmeets wrote:
> Date: Wed, 14 Aug 2002 13:47:48 -0400
> From: Mark Schmeets <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: RE: j_username in session cookie - where did it go?
>
> Well, I know there are a lot of other ways of doing this, but having the
> username and password from forms auth makes it very simple. The username and
> password are for the database. The servlet app isn't necessarily the only
> app to access certain data, there may well be some legacy and client-server
> apps too. Besides, some architects like to keep security at the database
> level.
> I didn't mean to suggest that there aren't other ways, just that Craig's
> suggestion sounded pretty severe.
>
Sorry ... but that's the kind of thing that happens when you depend on
non-portable features of one particular version of one servlet container.
Of course, the idea of using the same username/password for access to the
webapp (where any network snooper can read them) *and* the database (where
anyone inside your organization can cause all sorts of mischief) doesn't
sound like a real secure design in the first place, but that's a whole
different discussion.
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
