Only the simple question,
What is the flag which URLs are protected?
I have found that link
http://tomcat-configure.blogspot.com/2009/01/tomcat-web-xml.html
and specially section:
How to secure your application with JAAS ?
Let's say that my htdocs directory is there:
/opt/testApp/htdocs/index.html
and servlet storage is there:
/opt/testApp/servlet/
Logging page is mention here: /opt/globalPages/htdocs/index.html
How to configure https://<ipaddress>/testApp/ so that if HTTP COOKIE
is not defined then /opt/globalPages/htdocs/index.html will be shown
otherwise /opt/testApp/htdocs/index.html will be shown.
Thank you very much
2011/6/13 Pid <p...@pidster.com>:
> On 13/06/2011 07:50, Petr Hracek wrote:
>> First authentication is done so that if in the browser exists relevant
>> HTTP COOKIE and validation of that cookie is done then page should be
>> shown.
>> How to do that I do not know from the tomcat point of view.
>>
>> Is there any possiblity how to check valid HTTP COOKIE otherwise
>> showing loging page.
>>
>> If HTTP COOKIE is not existing than logging has to be done over my one
>> program.
>> How to do that I do not know as well.
>>
>> Are there any examples?
>
> From the little information you give, you're describing container
> managed security. FORM auth as defined by the Servlet Spec can do just
> that.
>
> You configure a Realm, some elements in web.xml which define where the
> login form & error pages are, and which URLs are protected.
>
>
> p
>
>
>
>> 2011/6/13 Petr Hracek <phrac...@gmail.com>:
>>> First authentication is done so that if in the browser exists relevant
>>> HTTP COOKIE and validation of that cookie is done then page should be
>>> shown.
>>>
>>>
>>> 2011/6/12 Mark Thomas <ma...@apache.org>:
>>>> On 12/06/2011 20:29, Pid wrote:
>>>>> On 12/06/2011 17:12, Petr Hracek wrote:
>>>>>> And what about in case that I have my own program for accessing to the
>>>>>> specific
>>>>>> databases where the passwords are stored as hashes?
>>>>>>
>>>>>> Are there any possibilities how to run that program for getting unhashed
>>>>>> password from database?
>>>>>
>>>>> Why not hash the inbound password, then send & compare it against the
>>>>> one in the DB, rather than decoding it?
>>>>>
>>>>> The Realm implementations can handle this, if you're using a standard
>>>>> hashing method that Java recognises.
>>>>>
>>>>> Hopefully you've not invented your own hashing method.
>>>>
>>>> Hmm. Hash functions are meant to be one way. It should be impossible to
>>>> retrieve an unhashed password from the database.
>>>>
>>>> I hope that the original description is inaccurate rather than an
>>>> example of (yet another) badly broken home-grown security solution that
>>>> needs to be thrown away.
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Best Regards / S pozdravem
>>> Petr Hracek
>>>
>>
>>
>>
>
>
>
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
