Security Constraints

[Brian Charlton <br...@vega.co.uk>]

Hi

I'm new to Apache/Tomcat so expect a obvious question.

I'm currently designing a multi-tier internet application based upon J2EE
blueprints.  To implement security in J2EE Web Tier the normal approach is
to denote Web Resources (JSPs, Servlets etc) as protected (e.g. form-based
authentication) in the deployment descriptor file for the Web components.

For a web client to access the resources they are forced ( by the J2EE
container) to login to the system by completing a login form.

This is the J2EE approach (I've read).  

I've been advised that Web/Application servers that support J2EE (i.e.
Enterprise Java Beans) are not brilliant at the moment and I should consider
using Apache/Tomcat as a web server and Oracle 8i as my back end database
and J2EE platform to run business logic in EJBs.

If I can't use J2EE Security constraints in the deployment descriptor file
of the web tier, how does Apache/Tomcat authenticate users?

Yours hopefully

Brian


 <<Brian Charlton.vcf>>