For a single webapp with a database, I have used md5 hashes. I believe MySQL does the same for its users table. If you have a whole suite of applications that you know you would like to tie into I like authentication to be taken care of by a separate web-app. Hope this helps. R
-----Original Message----- From: Anderson, M. Paul [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 06, 2004 12:00 PM To: 'Tomcat Users List' Subject: Authentication Mechanisms What mechanisms do you developers typically use for preventing unauthorized access to a web application? I'm trying to determine the best approach for my web app. Here are the basic guidelines I need to follow: 1. We must limit access to the site to registered users. 2. We currently use BASIC authentication. 3. We currently store passwords in a database in plain text but we now wish to encrypt them. 4. I was leaning towards using DIGEST authentication but am not convinced it works correctly based on various articles/books I've seen. Do you recommend any other approaches? Eventually we will be moving towards a salted-hash scheme for encryption but we were hoping we could stand up a site using DIGEST to provide some basic initial encryption before moving to the stronger scheme. Any advice would be appreciated. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]