Duh. I was looking in the general Tomcat web.xml--yes, in my app-specific one, we're using BASIC authentication.
Ok, so Tomcat knows to use the additional MySQL database for authentication. Right now, if you go to www.ourDomain.com it'll make you authenticate and then it will forward you to the default web application at www.ourDomain.com/DefaultApp/Welcome.jsp, and we have several web apps and you can cross from one to the other without authenticating, so you could go up and modify the URL to www.ourDomain.com/OtherApp/index.jsp and you'd be there instantly. So my question is, if we changed to form-based authentication so we could present our look and feel from the start, would it work for authenticating all the web apps if the login page was under a particular web app's folder? In other words, where would and could we stick a Login.jsp that would be presented to the user when you type www.ourDomain.com? Thanks so much, Stephen ----- Original message ----- From: "QM" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Date: Thu, 17 Jun 2004 16:04:21 -0500 Subject: Re: basic authentication or not? (Please, create new messages when mailing the list. Responding to unrelated messages causes confusion for those of us who use thread-aware mailers.) : In a nutshell, I'm wondering if it's better NOT to use basic : authentication. My understanding is that FORM vs BASIC is just that the former lets you create a custom login page that maintains your app's look and feel. (read: that's all *I* have used it for ;) : At the moment, I'm not even sure we're using : basic authentication, and below I will outline my attempt to determine : if we're even using it... You mention that there are no <security-constraint> or <login-config> elements in the web.xml. You're checking the app-specific web.xml in WEB-INF, and not the general one in the Tomcat install dir? (Sorry to ask; I have to check.) Yet, there's a <Real> def in server.xml? Perhaps auth is being done elsewhere (say, the web server), hence the <Realm> isn't being used, and is leftover from an earlier configuration. Unlikely, but worth investigating. : Aside the big database used by our web application, we have a small : MySQL database whose sole purpose is to authenticate users. Would it be : just as simple to continue using that for authentication if we moved : away from this "popup box" authentication? If you move to FORM auth and use JDBCRealm, yes, you should be able to continue using this database. Provided, of course, the passwords are hashed in the way JDBCRealm expects. : Is there any good reason to : have this authentication database outside of our main database? One reason is load: separate auth traffic from app traffic. This also lets you share that single auth DB among several apps, and each app can have its own database for its data. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
