Thanks!!! Now, I have a best idea. I will "analyse" all this for the next week.
A very big Thanks! Stéphanie 2010/4/1 Christopher Schultz <ch...@christopherschultz.net>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Stéphanie, > > On 4/1/2010 3:12 AM, Stéphanie Cettou wrote: >> - the webapp running in a Microsoft Windows 2003 Server environment. >> Active directory is NOT use in this server. > > Got it. > >> - Actually the users authenticate with a user/passwords/roles in a SQL >> 2000 Database. > > Perfect! There's no reason to mess around with AD/NTLM/Kerberos or any > of that stuff: just use a standard Realm that ships with Tomcat to > authenticate against a JDBC user database. > > Uh, does "SQL 2000 Database" really mean "Microsoft SQL Server 2000"? > >> <Realm className="org.apache.catalina.realm.JDBCRealm" > > I highly recommend that you do *not* use JDBCRealm, as this realm is > "effectively single-threaded" according to the Tomcat developers. > Consider using DataSourceRealm instead, which uses a pool of JDBC > connections to perform authentication. > >> driverName="net.sourceforge.jtds.jdbc.Driver" > > If you're running Microsoft SQL Server, you should probably be using the > Microsoft JDBC driver. Although, I did look up jTDS and it looks like > it's a decent driver. > >> userTable="Users" userNameCol="UserId" userCredCol="Password" >> userRoleTable="UsersFeatures" roleNameCol="FeatureID" /> >> >> like standard tomcat authentication. > > Okay, great. It wasn't clear that you had an acceptable authentication > solution already implemented. > >> But, I need to change to implement my goal... >> >> c) Can you use your own database? Yes (but I must to be implement >> complex authentication) > > I see. Let's go to your previous message: > >> - Check type of password (more that 8 char, special char,...) > > Tomcat does not provide any way to change passwords, so you'll have to > implement these items yourself in your password-change code. > >> - Ask new password every month (from the web site) > > Again, you'll have to implement this yourself. > >> - Block the user after 3 failed login > > Tomcat does not implement this until recent versions of Tomcat 6.x. Are > you able to upgrade to the latest Tomcat 6.x? You can use LockOutRealm > to do /some/ kind of blocking (I'm not sure exactly what your > requirements are, and I'm not sure exactly what the LockOutRealm does to > enforce the locking). > >> - Block inactive user (ex after 90 days) > > Tomcat does not do this, either: you'll have to either use your own > authentication system (such as securityfilter > http://securityfilter.sourceforge.net along with your own Realm > implementation that includes additional data-checking during the login) > or in some other way. > > We implement features like the above in our project by using > securityfilter with a custom Realm, plus a "credential Filter" which > checks password age and user status, and then does things like redirect > all requests to the "change password" page if you need to change your > password, etc. > > Perhaps something like that would work for you. > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAku0oRYACgkQ9CaO5/Lv0PComwCfb/JwX0d2yDh8SvUVoteSh+lM > d4QAoJLrIaWZCzFApoB9uHS/G//4i+K4 > =cSNG > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org