On 21/08/2010 05:42, Yawar Khan wrote: > chris, i had a look at container managed authentication and its quite handy. > but > i couldnt see how i can add extra functionality like calling an encryption > function on password text field before tomcat does its authentication on it.
The Tomcat Documentation is an excellent resource and is worth the time you'll spend reading it. See the 'digest' attribute of the DataSourceRealm. (You are using a DataSource, aren't you?) http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html#Standard_Implementation > for js, my client side authentication is done on form submit button click > event, > if the hackers do disable javascripts, how will my html form be submitted? By pushing the button? By constructing a URL and posting to it using a non-browser script in an automated attack client? > however, i will add some server side validation as well, i agree thats > important. Don't bother, just use the container auth. That way you don't have to worry about SQL injection attacks, because the SQL isn't poorly cobbled together using String concatenation. p > -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Friday, August 20, 2010 3:41 AM > To: Tomcat Users List > Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux > > Yawar, > > On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: >> your comments on my current code tells me that this code is not bad, >> but I should check out tomcat's container managed logins... right? > > This code seems to be doing more work than necessary. Container-managed > authentication and authorization is a useful service provided by the > container. I highly recommend taking a look at using it, but it may be > ... disruptive to your existing workflows. > >> plus I would like to mention that I have client side form validations >> (js) to stop query busters. > > I'm sure that hackers will be sure to leave javascript enabled when they > visit your site. > > -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
