Gagnon, Joseph M (US SSA) wrote:
Did I not say that I'm new to this?
I made no mention to whether or not I was trying to make it secure.
This is only meant to be used within my company's intranet and my
intention was to take the user account and then compare it with a set of
registered users in the application's DB.
I am beginning to see that at the very least I need to create some kind
of mechanism (although I don't understand yet how to go about that, or
how many different ways it can be done) to perform user authentication.
If anyone can provide information on how to do this (keep in mind I'm
new at this), please let me know.
HttpServletRequest interface gives you remoteUser() method to determine
WHO requested the page. How server gets this is another story.
Basically, some sort of authentication has to take place. Keep in mind
that in production people usually place Apache as a front-end, which can
have benefits in your case.
There are several mechanisms available for authentication:
- HTTP Basic (both TC and Apache can do this) unencrypted user/pass
- HTTP Digest (both TC and Apache can do this) MD5 Digest hashing (secure)
- HTTPS Client Certificate (both TC and Apache can do this)
- HTTP Negotiate (TC cannot do this, Apache needs mod_krb_auth or
similar module, IIS can do it)
"Basic" is supported by all browsers, Digest is not so commonly
supported (AFAIK), HTTPS is widely supported. "Negotiate" is intended
for MS Active Directory, since it can go with Kerberos V. It requires
advanced sys admin skills to setup, but it will give your users the
ability to login to ADS and use those credentials for authentication to
your application.
Nix.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
