In a nutshell, I'm wondering if it's better NOT to use basic authentication. We have over 10,000 regular users, and I think it would be good for us to move to a more standard login page instead of that authentication box that pops up. My question is, would we have to change a lot to do this? At the moment, I'm not even sure we're using basic authentication, and below I will outline my attempt to determine if we're even using it...
When you type the URL to our website, it pops up an authentication box before it shows you anything else and you must get past that to get into the web app. As far as I understand (the original developer is no longer with us), we are using basic authentication with Tomcat 4. However, I was perusing this document to figure out where our basic authentication is configured and it doesn't look like we have all this stuff: http://www.jguru.com/faq/view.jsp?EID=1131436 Notable exceptions are any <security-constraint> or <login-config> nodes in our web.xml, and since the example on the jguru page put BASIC in the <login-config> node, I'm really not sure that we're using basic authentication (although that's still my gut feeling). In our server.xml, I see that both of the following are uncommented, but I'm guessing that only the second one is being used since I don't think we have anything (no JNDI) set up for the first one: <Realm className="org.apache.catalina.realm.UserDatabaseRealm" debug="0" resourceName="UserDatabase" /> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://127.0.0.1/mainDB" connectionName="user" connectionPassword="pass" userTable="users" userNameCol="Username" userCredCol="Password" userRoleTable="roles" roleNameCol="Role" /> Aside the big database used by our web application, we have a small MySQL database whose sole purpose is to authenticate users. Would it be just as simple to continue using that for authentication if we moved away from this "popup box" authentication? Is there any good reason to have this authentication database outside of our main database? Or is this somehow protecting our web app more--making you authenticate before you ever communicate with anything in our site (e.g. a LoginServlet or something like that). I know this is long...I appreciate any feedback, though! Thanks, Stephen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
