More JDBCRealm Questions

Tue, 23 Jul 2002 23:18:15 -0700 


I have set up a JDBCRealm and am using it with form-based login to
secure/protect my webapp.  However, I have a few questions which I
hope somebody could help me with,

1. The JDBCRealm is set up with the following in server.xml.

    <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
     driverName="org.gjt.mm.mysql.Driver"
     connectionURL="jdbc:mysql://localhost/authentication"
     userTable="users" userNameCol="user_name" userCredCol="user_pass"
     userRoleTable="user_roles" roleNameCol="role_name"/>

    However, I have noticed that this requires the password (stored in
    the user_pass column) to be clear text, which I really don't like doing.
    Is there any way to have store the passwords as hashes (ie. using the
    password() function in MySQL) ?

2. I read that "a call to j_security_check will be made by every attempt
   access your secured pages".  Since I am protecting every page in my
   webapp, I'm wondering how efficient is "j_security_check" ?
   Does it simply look at the session, or does it make a database call on
   each and every request ?

3. How do you specify a page for authenticated users who do not have
   the correct permissions/roles ?  At the moment, I have this in web.xml,

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>login.jsp</form-login-page>
           <form-error-page>login-error.jsp</form-error-page>
        </form-login-config>
    </login-config>

    login.jsp is the form that shows when an authenticated user tries to 
access the site.
    login-error.jsp is displayed when an incorrect username/password is 
submitted.

    However, when a correct username/password is submitted but the user does 
not
    possess an adequate role, I see a default "You are not authorized" 
message.
    How can I customize the page that is shown in such circumstances ?


4. Is there a formal method to logging out, rather than calling
   invalidate() on the session ?

5. If your webapp's authentication works fine on Tomcat, would it then
   work on say BEAWeblogic or IBMWebsphere ?

Sorry for so many questions but I can't find a comprehensive description
of this anywhere. I've only found setup/configuration guides which deal
with the simple issues.

Soefara.

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to