"Sean Bruton" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Fri, 2003-11-21 at 16:00, Kumar, Sumit wrote: > > I am trying to use authentication of a product, that uses Basic > > authentication using JAAS. It stores data in database using SHA-1 encryption > > and uses Tomcat as servlet engine. Not in any of the web.xml of several > > webapps deployed do they specify to use Basic authentication. I am wondering > > Tomcat supports basic, form, client-cert, and digest authentication. > > Unfortunately digest suffers the same security issues as basic > authentication, is not supported by most browsers, and is not required > by the servlet spec... so I wouldn't recommend you use it. >
Unfortunately, the JAASRealm (like most Tomcat Realms) doesn't support client-cert auth. You will probably need your own custom Realm to deal with this. > If client-cert authentication is not an option then go for basic or form > auth and assign a transport-guarantee to ensure the authentication > happens over secure channels (SSL). (Not sure how transport-guarantee > works w/ alternate front-end via mod_jk and such but similar steps can > be taken with Apache or IIS) > > > is there any other place also where you can specify the login-config and > > realm-name besides web.xml. or any other suggestions to go abt it. > > Nope, not for container managed authentication with Tomcat. > > > > > -sumit > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]