Vladimir Vanyukov asked
> I have seen this question here many times and have seen many answers but > most of them never really ANSWERED the question. So I figured I'd ask > one more time. Is there anyway to programmatically authenticate users? Is there any way for a computer to recognize the person operating it? Nope. So the next best thing is passwords. (Or retinal imprints, which are a fancy sort of password with fewer problems.) If the password is never put on the network, there is no way for the password to be stolen from the network. You only have to worry about the likes of trojan horses and non-descript vans on the street outside with expensive telemetry equipment that can interpret noise from your keyboard, etc. If the password gets out on the network, it can be observed. > Example: > If I have s simple username/password form somewhere on an unprotected > page, how do I use that information (assuming the user filled it out and > submitted it) to allow him to view protected pages? Unless I am totally confused, you don't. You let him/her connect to a "secured" page (https) to login. The login page works with the browser to encrypt things like passwords before they are put on the network. That way, you don't have to worry as much about whether the password is observed, because you can be fairly confident that the observer can't read it. (If you set things up well.) And you don't let him/her proceed from the login page unless he/she supplies a valid password. Now, if I have this description wrong, will someone who really knows please correct me? There ought to be a page somewhere in the on-line docs that tells you how to have Tomcat negotiate this stuff for you. I wonder where that could be? Hmm. This looks kind of promising: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html Joel Rees Alps Giken Kansai Systems Develoment Suita, Osaka -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
