Mike, Using rdbms table for authentication isn't bad, but make sure you store only the hashed password, So even DBA can't read them. When user enters the password again hash it and compare with the db hashed password.
Make sure you enabled https, so that even network snuffers can't read them. In general, Organizations normally uses LDAP service to store password, so every application can be accessed using same user-id and password (Or using some sort of SSO application), If you need to know more about it, dig-out openldap. Storing roles (or permissions) in session is good, so it reduces the db operation. Hopefully you will also get more answers soon :). I am also curious to know more about it from others. Regards, Mohan -----Original Message----- From: Michael Ni [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 09, 2007 9:17 AM To: [email protected] Subject: RE: web application - student need help Thank You's I just want to thank everyone who provided input to my question. I am going to try to set up the connection pool. By the way. I have another question about authentication to websites. For authentication, currently I bascially have a "Person" table, where one field is your permission. example table person username = bob, password = wawawawa permission level = admin So during login, after a person enters his username and password, it will check to see if the username exists in the person table. If it does exist, it will verify the password and return his permission. That permission is stored in the session, and each jsp page it will check to see if his permission is correct. If a person's permission is wrong, it will redirect you to another page. Although this method works, I dont know if it is very professional. Does anyone have any ideas how to set up a professional style authentication system? Something a business would use where exposing customer information is a liability. mike _________________________________________________________________ Communicate instantly! Use your Hotmail address to sign into Windows Live Messenger now. http://get.live.com/messenger/overview --------------------------------------------------------------------- To start a new topic, e-mail: [email protected] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This email is confidential. If you are not the addressee tell the sender immediately and destroy this email without using, sending or storing it. Emails are not secure and may suffer errors, viruses, delay, interception and amendment. Standard Chartered PLC and subsidiaries ("SCGroup") do not accept liability for damage caused by this email and may monitor email traffic. --------------------------------------------------------------------- To start a new topic, e-mail: [email protected] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
