I have set up a JDBCRealm and am using it with form-based login to secure/protect my webapp. However, I have a few questions which I hope somebody could help me with,
1. The JDBCRealm is set up with the following in server.xml. <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authentication" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name"/> However, I have noticed that this requires the password (stored in the user_pass column) to be clear text, which I really don't like doing. Is there any way to have store the passwords as hashes (ie. using the password() function in MySQL) ? 2. I read that "a call to j_security_check will be made by every attempt access your secured pages". Since I am protecting every page in my webapp, I'm wondering how efficient is "j_security_check" ? Does it simply look at the session, or does it make a database call on each and every request ? 3. How do you specify a page for authenticated users who do not have the correct permissions/roles ? At the moment, I have this in web.xml, <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>login.jsp</form-login-page> <form-error-page>login-error.jsp</form-error-page> </form-login-config> </login-config> login.jsp is the form that shows when an authenticated user tries to access the site. login-error.jsp is displayed when an incorrect username/password is submitted. However, when a correct username/password is submitted but the user does not possess an adequate role, I see a default "You are not authorized" message. How can I customize the page that is shown in such circumstances ? 4. Is there a formal method to logging out, rather than calling invalidate() on the session ? 5. If your webapp's authentication works fine on Tomcat, would it then work on say BEAWeblogic or IBMWebsphere ? Sorry for so many questions but I can't find a comprehensive description of this anywhere. I've only found setup/configuration guides which deal with the simple issues. Soefara. _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>