User authentication in Tomcat -- best practices?

E

Eduardo

Hello, I would like to know what do people use for
user authentication in Tomcat.

I am developing a small application with servlets and
JSP where I want:

- users log in before being able to do anything
- if the user is not logged in and tries to access
any other page, he gets the login page instead
- the usernames and passwords live in a database

As I see it, there are two main options for achieving
this:

1) Use JDBC realm to authenticate against the database

2) Add code at the top of all the pages to verify that
the user is logged in, etc.

Number 1) seems the easiest solution, but I wonder how
many people use it? It doesn't seem too portable to
other non-Tomcat platforms... Anybody using it for
your apps?

Finally, is there any Number 3) option that I am missing?

Thanks in advance for the help!

Eduardo
 
S

Sudsy

Eduardo wrote:
As I see it, there are two main options for achieving
this:

1) Use JDBC realm to authenticate against the database

2) Add code at the top of all the pages to verify that
the user is logged in, etc.

Number 1) seems the easiest solution, but I wonder how
many people use it? It doesn't seem too portable to
other non-Tomcat platforms... Anybody using it for
your apps?

Finally, is there any Number 3) option that I am missing?
Click to expand...
<snip>

I use a variant of option 2, redirecting users to a SECURE login
page if they're not currently logged-in. Save the URL they
originally requested and forward them upon success.
There should be lots of freely-available code showing how to do
this, BTW. You can also use filters so that your JSP authors
don't have to worry about what's happening "under the covers".
Again, documentation should abound.
 
O

Oscar kind

Eduardo said:
I am developing a small application with servlets and
JSP where I want:

- users log in before being able to do anything
- if the user is not logged in and tries to access
any other page, he gets the login page instead
- the usernames and passwords live in a database

As I see it, there are two main options for achieving
this:

1) Use JDBC realm to authenticate against the database

2) Add code at the top of all the pages to verify that
the user is logged in, etc.

Finally, is there any Number 3) option that I am missing?
Click to expand...

J2EE security:
- Associate a security role with all pages but the login page and error
pages (they don't contain any business functionality)
- Each user that isn't logged in is redirected by the container (Tomcat
for example) to the login page.
- Configure the container to do one of the following:
- Execute your code to authenticate a user (for example using JAAS)
- Go to the database itself
- ... (see the container documentation for more possibilities)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Best Practices for Implementing Serverless Functions in a Microservices Architecture 2
Database usage best practices 11
Tomcat & Apache webserver authentication 0
Authentication without authorization in tomcat 5.5 0
Logging - Best Practices 4
tomcat manager autentication problem 0
ASP.NET Forms Authentication Best Practices 0
how to disable Tomcat authentication-cache 0

Members online

No members online now.
Total: 30 (members: 0, guests: 30)
Robots: 353

Forum statistics

Threads
473,994
Messages
2,570,223
Members
46,813
Latest member
lawrwtwinkle111

Latest Threads

Top