-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stéphanie,
On 4/1/2010 3:12 AM, Stéphanie Cettou wrote: > - the webapp running in a Microsoft Windows 2003 Server environment. > Active directory is NOT use in this server. Got it. > - Actually the users authenticate with a user/passwords/roles in a SQL > 2000 Database. Perfect! There's no reason to mess around with AD/NTLM/Kerberos or any of that stuff: just use a standard Realm that ships with Tomcat to authenticate against a JDBC user database. Uh, does "SQL 2000 Database" really mean "Microsoft SQL Server 2000"? > <Realm className="org.apache.catalina.realm.JDBCRealm" I highly recommend that you do *not* use JDBCRealm, as this realm is "effectively single-threaded" according to the Tomcat developers. Consider using DataSourceRealm instead, which uses a pool of JDBC connections to perform authentication. > driverName="net.sourceforge.jtds.jdbc.Driver" If you're running Microsoft SQL Server, you should probably be using the Microsoft JDBC driver. Although, I did look up jTDS and it looks like it's a decent driver. > userTable="Users" userNameCol="UserId" userCredCol="Password" > userRoleTable="UsersFeatures" roleNameCol="FeatureID" /> > > like standard tomcat authentication. Okay, great. It wasn't clear that you had an acceptable authentication solution already implemented. > But, I need to change to implement my goal... > > c) Can you use your own database? Yes (but I must to be implement > complex authentication) I see. Let's go to your previous message: > - Check type of password (more that 8 char, special char,...) Tomcat does not provide any way to change passwords, so you'll have to implement these items yourself in your password-change code. > - Ask new password every month (from the web site) Again, you'll have to implement this yourself. > - Block the user after 3 failed login Tomcat does not implement this until recent versions of Tomcat 6.x. Are you able to upgrade to the latest Tomcat 6.x? You can use LockOutRealm to do /some/ kind of blocking (I'm not sure exactly what your requirements are, and I'm not sure exactly what the LockOutRealm does to enforce the locking). > - Block inactive user (ex after 90 days) Tomcat does not do this, either: you'll have to either use your own authentication system (such as securityfilter http://securityfilter.sourceforge.net along with your own Realm implementation that includes additional data-checking during the login) or in some other way. We implement features like the above in our project by using securityfilter with a custom Realm, plus a "credential Filter" which checks password age and user status, and then does things like redirect all requests to the "change password" page if you need to change your password, etc. Perhaps something like that would work for you. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku0oRYACgkQ9CaO5/Lv0PComwCfb/JwX0d2yDh8SvUVoteSh+lM d4QAoJLrIaWZCzFApoB9uHS/G//4i+K4 =cSNG -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
